What is the CVSS score of CVE-2026-49286?

CVE-2026-49286 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Which versions of PhpWeasyPrint are affected by CVE-2026-49286?

PhpWeasyPrint versions prior to 2.6.0 are vulnerable to remote code execution through PHAR deserialization when application code allows attackers to influence output filename parameters.. A patch is available.

How to fix or mitigate CVE-2026-49286?

Within 24 hours: Inventory all systems running PhpWeasyPrint and identify instances prior to version 2.6.0; audit whether output filename parameters are user-controllable. Within 7 days: Upgrade affected installations to PhpWeasyPrint 2.6.0 or later. Within 30 days: Verify all upgrades are complete and audit dependent libraries (KnpLabs/snappy) for related PHAR deserialization vulnerabilities.

PhpWeasyPrint CVE-2026-49286

EUVD-2026-38053 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-19 GitHub_M

PHP Deserialization RCE Php Weasyprint

8.1

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Network-reachable when the filename parameter is exposed to input (AV:N, PR:N); AC:H because exploitation requires PHP 7, a stageable PHAR with a gadget chain, and attacker-influenced output path; full RCE yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

Jun 19, 2026 - 19:02 EUVD

Source Code Evidence Fetched

Jun 19, 2026 - 18:16 vuln.today

Analysis Generated

Jun 19, 2026 - 18:16 vuln.today

DescriptionCVE.org

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc. bypass the check and reach fileExists() (file_exists()) in prepareOutput(). On PHP 7 (which the library still supports - PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue.

AnalysisAI

PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify endpoint passing user input to PhpWeasyPrint output filename

Delivery

Stage crafted PHAR with phpggc gadget chain on reachable filesystem path

Exploit

Submit request with output filename PHAR://path/exploit.phar

Execution

Bypass case-sensitive blacklist, reach file_exists()

Persist

PHP unserializes PHAR metadata and triggers gadget __destruct

Impact

Execute arbitrary code as web server user

Access

Identify endpoint passing user input to PhpWeasyPrint output filename

Delivery

Stage crafted PHAR with phpggc gadget chain on reachable filesystem path

Exploit

Submit request with output filename PHAR://path/exploit.phar

Execution

Bypass case-sensitive blacklist, reach file_exists()

Persist

PHP unserializes PHAR metadata and triggers gadget __destruct

Impact

Execute arbitrary code as web server user

Vulnerability AssessmentAI

Exploitation	Requires (1) the application to forward attacker-controlled data into the $filename / output-path parameter of PhpWeasyPrint's generate(), generateFromHtml(), or generateFromHtmlFile() (and Image equivalents) before they call prepareOutput(); (2) the host PHP runtime to be PHP 7.4 through 7.x - PHP 8.0+ removed implicit PHAR metadata unserialization on filesystem calls and is not exploitable; (3) a PHAR archive containing a viable PHP unserialize gadget chain (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H) reflects a serious RCE primitive but appropriately marks AC:H because exploitation depends on the application passing attacker-influenced data into the output-filename parameter of generate()/generateFromHtml(), on the host running PHP 7.x, and on a PHAR file with a viable gadget chain being reachable from the target filesystem. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An application uses PhpWeasyPrint on PHP 7.4 to render user-supplied HTML to a PDF whose output filename is derived from a request parameter (for example a 'report_name' field). The attacker first uploads or stages a PHAR archive whose metadata contains a phpggc-generated gadget chain (e.g. …
Remediation	Vendor-released patch: PhpWeasyPrint 2.6.0, available at https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0, which replaces the case-sensitive phar:// blacklist with a parse_url-based allow-list of the 'file' scheme (commit d1aa487722b5a3cab9b222b85fdb5608a5a550c3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running PhpWeasyPrint and identify instances prior to version 2.6.0; audit whether output filename parameters are user-controllable. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2026-49286 vulnerability details – vuln.today

Back

PhpWeasyPrint CVE-2026-49286

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code