CVE-2022-28368
published 2022-04-03CVE-2022-28368: Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
82.44%
99.6th percentile
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-dompdf | — | — |
| dompdf | dompdf | >= 0 < 1.2.1 | 1.2.1 |
| dompdf_project | dompdf | < 1.2.1 | 1.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
- ·For dompdf versions 0.8.6 through 1.2.0, the vulnerability is only exploitable when $isRemoteEnabled is set to true. Disabling remote resource loading mitigates the attack for these versions. ↗
- ·For dompdf versions <= 0.8.5, $isRemoteEnabled has no effect and remote font loading (and thus exploitation) is always possible regardless of configuration. ↗
- ·Exploitation also requires that the dompdf font cache directory (lib/fonts/) is web-accessible; if it is not directly reachable by the web server, the cached PHP webshell cannot be triggered. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Remote code injection in dompdf/dompdf
ghsa·2022-04-04
CVE-2022-28368 [CRITICAL] CWE-79 Remote code injection in dompdf/dompdf
Remote code injection in dompdf/dompdf
Dompdf is an HTML to PDF converter. Dompdf before 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
OSV
Remote code injection in dompdf/dompdf
osv·2022-04-04
CVE-2022-28368 [CRITICAL] Remote code injection in dompdf/dompdf
Remote code injection in dompdf/dompdf
Dompdf is an HTML to PDF converter. Dompdf before 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
Debian
CVE-2022-28368: php-dompdf - Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field o...
vendor_debian·2022·CVSS 9.8
CVE-2022-28368 [CRITICAL] CVE-2022-28368: php-dompdf - Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field o...
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
Scope: local
bookworm: resolved
bullseye: resolved
sid: resolved
No detection rules found.
Exploit-DB
Dompdf 1.2.1 - Remote Code Execution (RCE)
exploitdb·2023-04-06·CVSS 9.8
CVE-2022-28368 [CRITICAL] Dompdf 1.2.1 - Remote Code Execution (RCE)
Dompdf 1.2.1 - Remote Code Execution (RCE)
---
#!/usr/bin/python3
# Exploit Title: Dompdf 1.2.1 - Remote Code Execution (RCE)
# Date: 16 February 2023
# Exploit Author: Ravindu Wickramasinghe (@rvizx9)
# Vendor Homepage: https://dompdf.github.io/
# Software Link: https://github.com/dompdf/dompdf
# Version: 0:
current_row -= 1
elif key == curses.KEY_DOWN and current_row --dompdf
example:
./dompdf-rce --inject https://vuln.rvz/dev/convert-html-to-pdf?html= --dompdf https://vuln.rvz/dompdf/
notes:
- Provide the parameters in the URL (regardless the request method)
- Known Issues! - Testing with https://github.com/positive-security/dompdf-rce
The program has been successfully tested for RCE on some systems where dompdf was implemented,
But there may be some issues when testing with the do
Metasploit
Dompdf RCE via Malicious Font Caching (CVE-2022-28368)
metasploit·CVSS 9.8
CVE-2022-28368 [CRITICAL] Dompdf RCE via Malicious Font Caching (CVE-2022-28368)
Dompdf RCE via Malicious Font Caching (CVE-2022-28368)
This module exploits CVE-2022-28368, a Remote Code Execution vulnerability in dompdf versions prior to 1.2.1. The vulnerability exists because dompdf preserves the original file extension when caching fonts downloaded via CSS @font-face rules. By pointing a @font-face src to a .php file containing a valid TrueType font header with embedded PHP code, the file is saved in the dompdf font cache (lib/fonts/) with its .php extension intact. The cached file can then be executed by directly requesting it from the web server. For dompdf versions <= 0.8.5, remote font loading works regardless of the $isRemoteEnabled setting. For versions 0.8.6 through 1.2.0, the $isRemoteEnabled option must be set to true. This module requires the ability to i
Rapid7
Metasploit Wrap Up 05/29/2026
blogs_rapid7·2026-05-29·CVSS 9.8
CVE-2026-43284 [CRITICAL] Metasploit Wrap Up 05/29/2026
## More Linux LPEs
Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module.
## New module content (5)
## Citrix ADC (NetScaler) CVE-2026-3055 Scanner
Authors: sfewer-r7 and watchTowr
Type: Auxiliary
Pull request: #21204 contributed by sfewer-r7
Path: scanner/http/citrix_netscaler_cve_2026_3055
AttackerKB reference: CVE-2026-3055
Description: Adds auxiliary module targeting CVE-2026-3055, an info leak in Citrix NetScaler
CTF
Stickers / README
ctf_writeups·2023·CVSS 9.8
[CRITICAL] Stickers / README
# Stickers
> Wooohoo!!! Stickers!!! Hackers love STICKERS!! You can make your own with our new website!
> Find the flag file in /flag.txt at the root of the filesystem.
## About the Challenge
We got a server that has a functionality to convert our input into a PDF file
## How to Solve?
At first, I thought this website was vulnerable to SSRF where we can input `` in the `organization` or `email` parameter but I was wrong
And I accidentally made the website error
I researched about this error message, and it appears that this website uses `DOMPDF` to convert our input into a PDF file. Because this website utilizes `DOMPDF`, it reminded me of a machine on HTB where the user had to exploit `RCE` on `DOMPDF`.
Im using this [tool](https://github.com/rvizx/CVE-2022-28368) to easier my wor
http://packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.htmlhttps://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141dhttps://github.com/dompdf/dompdf/issues/2598https://github.com/dompdf/dompdf/pull/2808https://github.com/snyk-labs/php-goofhttps://packagist.org/packages/dompdf/dompdf#v1.2.1https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/http://packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.htmlhttps://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141dhttps://github.com/dompdf/dompdf/issues/2598https://github.com/dompdf/dompdf/pull/2808https://github.com/snyk-labs/php-goofhttps://packagist.org/packages/dompdf/dompdf#v1.2.1https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
2022-04-03
Published