Skip to main content

PhpWeasyPrint EUVD-2026-38036

| CVE-2026-49358 LOW
External Control of File Name or Path (CWE-73)
2026-06-19 GitHub_M
PHP RCE Php Weasyprint
3.0
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.0 LOW
AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
3.0 LOW

Local code access and high privilege (PR:H) required to reference the generator instance; no confidentiality impact; limited integrity and availability from file deletion only.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 16:01 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 15:32 vuln.today
Analysis Generated
Jun 19, 2026 - 15:32 vuln.today

DescriptionCVE.org

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles() - invoked from __destruct() and from a registered shutdown function - calls unlink() on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

AnalysisAI

Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public AbstractGenerator::$temporaryFiles array, which are then passed to unlink() without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker deploys malicious Composer package
Delivery
Package obtains reference to generator instance
Exploit
Inject target file path into public $temporaryFiles
Execution
PHP process shutdown triggers removeTemporaryFiles()
Impact
unlink() deletes arbitrary file
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker's code runs within the same PHP process as the PhpWeasyPrint generator instance and can obtain a reference to that instance object. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 3.0 (AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L) accurately reflects the constrained threat model: exploitation requires local code-level access to the PHP process and high privilege (the ability to reference or inject into the generator object), making this a low-priority issue in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised Composer package installed alongside PhpWeasyPrint obtains a reference to a generator instance during the application's normal PDF rendering flow, then appends a sensitive file path (such as a configuration file or database credential file) to `$temporaryFiles`. When the PHP script completes - either via normal termination or via the registered shutdown function - `removeTemporaryFiles()` iterates the array and calls `unlink()` on the injected path, silently deleting it without any path-safety check. …
Remediation The primary fix is to upgrade pontedilana/php-weasyprint to version 2.6.0, which introduces path-containment validation in `removeTemporaryFiles()` via `realpath()` and `strncmp()` prefix enforcement. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-38036 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy