EUVD-2026-38054Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Requires low-privilege app access to control the attachment option (PR:L); confidentiality is high from arbitrary local file read and SSRF; no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint fetches the content of option values server-side via file_get_contents() when the value looks like a URL, without restricting the URL scheme. The attachment option of Pdf is the reachable sink: any value that passes isOptionUrl() (filter_var(..., FILTER_VALIDATE_URL)) is downloaded by the PHP process and embedded into the generated PDF. Because FILTER_VALIDATE_URL accepts http, https, ftp, file and PHP stream wrappers such as php://, an attacker who can influence the attachment value reaches both a Server-Side Request Forgery primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (file://, php://filter/...), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its xsl-style-sheet option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
AnalysisAI
PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its attachment option, which passes any URL-shaped value through PHP's file_get_contents() without restricting the URL scheme. Applications that expose the attachment option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as file:// or php://filter/..., with exfiltrated content embedded directly into the generated PDF output. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that application code passes user-controlled input directly to the `attachment` option of the `Pdf` class without sanitization (e.g., `$pdf->setOption('attachment', $_GET['file'])`). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) accurately characterizes the core risk: network-exploitable, low complexity, but gated on low-privilege application access (PR:L) to supply a crafted `attachment` value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with authenticated low-privilege access submits a PDF generation request where the `attachment` parameter contains `php://filter/convert.base64-encode/resource=/etc/passwd`; the pre-2.6.0 library validates this as a URL via `FILTER_VALIDATE_URL` and calls `file_get_contents()` on it, reading and base64-encoding the target file's contents. The resulting bytes are embedded into the generated PDF as an attachment, which the attacker downloads and decodes to recover the plaintext of `/etc/passwd` or any other file readable by the PHP process. … |
| Remediation | Upgrade `pontedilana/php-weasyprint` to version 2.6.0 or later via Composer (`composer require pontedilana/php-weasyprint:^2.6.0`); the vendor-released patch is confirmed at https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0 with fix commit 9582dcf119a405276cf55e9e10bc577a887792cb. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today