Skip to main content

PhpWeasyPrint EUVD-2026-38054

| CVE-2026-49359 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-19 GitHub_M
PHP SSRF Php Weasyprint
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Requires low-privilege app access to control the attachment option (PR:L); confidentiality is high from arbitrary local file read and SSRF; no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 19:02 EUVD
Source Code Evidence Fetched
Jun 19, 2026 - 18:16 vuln.today
Analysis Generated
Jun 19, 2026 - 18:16 vuln.today

DescriptionCVE.org

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, pontedilana/php-weasyprint fetches the content of option values server-side via file_get_contents() when the value looks like a URL, without restricting the URL scheme. The attachment option of Pdf is the reachable sink: any value that passes isOptionUrl() (filter_var(..., FILTER_VALIDATE_URL)) is downloaded by the PHP process and embedded into the generated PDF. Because FILTER_VALIDATE_URL accepts http, https, ftp, file and PHP stream wrappers such as php://, an attacker who can influence the attachment value reaches both a Server-Side Request Forgery primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (file://, php://filter/...), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its xsl-style-sheet option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

AnalysisAI

PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its attachment option, which passes any URL-shaped value through PHP's file_get_contents() without restricting the URL scheme. Applications that expose the attachment option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as file:// or php://filter/..., with exfiltrated content embedded directly into the generated PDF output. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to application with low-privilege access
Delivery
Submit crafted scheme URL (file:// or php://filter) as attachment option value
Exploit
isOptionUrl() validates scheme via FILTER_VALIDATE_URL without allowlist
Execution
PHP calls file_get_contents() fetching local file or internal endpoint
Persist
Sensitive bytes embedded as PDF attachment
Impact
Download generated PDF to exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that application code passes user-controlled input directly to the `attachment` option of the `Pdf` class without sanitization (e.g., `$pdf->setOption('attachment', $_GET['file'])`). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) accurately characterizes the core risk: network-exploitable, low complexity, but gated on low-privilege application access (PR:L) to supply a crafted `attachment` value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with authenticated low-privilege access submits a PDF generation request where the `attachment` parameter contains `php://filter/convert.base64-encode/resource=/etc/passwd`; the pre-2.6.0 library validates this as a URL via `FILTER_VALIDATE_URL` and calls `file_get_contents()` on it, reading and base64-encoding the target file's contents. The resulting bytes are embedded into the generated PDF as an attachment, which the attacker downloads and decodes to recover the plaintext of `/etc/passwd` or any other file readable by the PHP process. …
Remediation Upgrade `pontedilana/php-weasyprint` to version 2.6.0 or later via Composer (`composer require pontedilana/php-weasyprint:^2.6.0`); the vendor-released patch is confirmed at https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0 with fix commit 9582dcf119a405276cf55e9e10bc577a887792cb. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-38054 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy