CVE-2026-49358
LowCVSS 3.0Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. In versions prior to 2.6.0, the public array `AbstractGenerator::$temporaryFiles` allows for the deletion of temporary files without verification, which can lead to unauthorized file deletions.
Risk Assessment
Organizations may be exposed to unauthorized file deletions, potentially leading to data loss or disruption of application functionality. Exploiting this vulnerability could have serious security implications for the system.
Recommendation
It is recommended to update PhpWeasyPrint to version 2.6.0 or later to mitigate this vulnerability. Additionally, review the application code for potential references to generator instances.
Original NVD description (English source)
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

