ByteOS Network

NVD Vulnerability Details :

CVE-2026-27968

Awaiting Analysis

Source-security-advisories@github.com

Published At-26 Feb, 2026 | 02:16

Updated At-27 Feb, 2026 | 14:06

Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-287	Primary	security-advisories@github.com
CWE-613	Primary	security-advisories@github.com

CWE ID: CWE-287

Type: Primary

Source: security-advisories@github.com

CWE ID: CWE-613

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283	security-advisories@github.com	N/A
https://github.com/packistry/packistry/pull/276	security-advisories@github.com	N/A
https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw	security-advisories@github.com	N/A