CVE-2026-49286
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk42th percentile - higher than 42% of all known CVEs
Summary
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, the output filename guard was case-sensitive, allowing bypass of the check and leading to remote code execution.
Risk Assessment
Organizations using this library may be exposed to remote code execution, potentially resulting in serious security breaches and data loss.
Recommendation
It is recommended to update PhpWeasyPrint to version 2.6.0 or later to patch this vulnerability.
Original NVD description (English source)
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue.

