What is the CVSS score of CVE-2026-49358?

CVE-2026-49358 has a CVSS 3.1 base score of 3.0 (Low). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L.

Is there a patch available for CVE-2026-49358?

Yes, a patch is available for CVE-2026-49358. Update the affected software to the latest version immediately.

PhpWeasyPrint CVE-2026-49358

EUVD-2026-38036 LOW

External Control of File Name or Path (CWE-73)

2026-06-19 GitHub_M

PHP RCE Php Weasyprint

3.0

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

3.0 LOW

AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

vuln.today AI

3.0 LOW

Local code access and high privilege (PR:H) required to reference the generator instance; no confidentiality impact; limited integrity and availability from file deletion only.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch available

Jun 19, 2026 - 16:01 EUVD

Source Code Evidence Fetched

Jun 19, 2026 - 15:32 vuln.today

Analysis Generated

Jun 19, 2026 - 15:32 vuln.today

DescriptionCVE.org

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles() - invoked from __destruct() and from a registered shutdown function - calls unlink() on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

AnalysisAI

Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public AbstractGenerator::$temporaryFiles array, which are then passed to unlink() without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker deploys malicious Composer package

Delivery

Package obtains reference to generator instance

Exploit

Inject target file path into public $temporaryFiles

Execution

PHP process shutdown triggers removeTemporaryFiles()

Impact

unlink() deletes arbitrary file

Access

Attacker deploys malicious Composer package

Delivery

Package obtains reference to generator instance

Exploit

Inject target file path into public $temporaryFiles

Execution

PHP process shutdown triggers removeTemporaryFiles()

Impact

unlink() deletes arbitrary file

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the attacker's code runs within the same PHP process as the PhpWeasyPrint generator instance and can obtain a reference to that instance object. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The NVD-assigned CVSS 3.1 score of 3.0 (AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L) accurately reflects the constrained threat model: exploitation requires local code-level access to the PHP process and high privilege (the ability to reference or inject into the generator object), making this a low-priority issue in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A malicious or compromised Composer package installed alongside PhpWeasyPrint obtains a reference to a generator instance during the application's normal PDF rendering flow, then appends a sensitive file path (such as a configuration file or database credential file) to `$temporaryFiles`. When the PHP script completes - either via normal termination or via the registered shutdown function - `removeTemporaryFiles()` iterates the array and calls `unlink()` on the injected path, silently deleting it without any path-safety check. …
Remediation	The primary fix is to upgrade pontedilana/php-weasyprint to version 2.6.0, which introduces path-containment validation in `removeTemporaryFiles()` via `realpath()` and `strncmp()` prefix enforcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

CVE-2026-49358 vulnerability details – vuln.today

Back