CVE-2026-46683
published 2026-06-10CVE-2026-46683: Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read…
PriorityP336medium6.9CVSS 4.0
AVNACLATNPRNUINVCLVINVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.25%
16.1th percentile
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| knplabs | knp-snappy | >= 0 < 1.7.0 | 1.7.0 |
| knplabs | snappy | < 1.7.0 | 1.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
KnpLabs snappy up to 1.6.x server-side request forgery (GHSA-c5fp-p67m-gq56 / EUVD-2026-36112)
vuldb·2026-06-10·CVSS 6.9
CVE-2026-46683 [MEDIUM] KnpLabs snappy up to 1.6.x server-side request forgery (GHSA-c5fp-p67m-gq56 / EUVD-2026-36112)
A vulnerability categorized as critical has been discovered in KnpLabs snappy up to 1.6.x. This vulnerability affects unknown code. Executing a manipulation can lead to server-side request forgery.
This vulnerability is tracked as CVE-2026-46683. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
GHSA
Snappy : SSRF and local file read via the xsl-style-sheet option
ghsa·2026-05-21
CVE-2026-46683 [MEDIUM] CWE-918 Snappy : SSRF and local file read via the xsl-style-sheet option
Snappy : SSRF and local file read via the xsl-style-sheet option
### Impact
It impacts applications where:
- the PHP daemon run with root permissions ;
- the application is either running outside a container or has sensitive file access ;
It could happens with this kind of workflows:
```php
$stylesheet = $_GET['stylesheet']; // = ‘file:///etc/passwd’
$pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’);
$pdf->generate(‘page.html’, ‘out.pdf’, [
‘xsl-style-sheet’ => $stylesheet
]);
```
### Patches
A list a schema with `http` and `https` by default is used to validate the remote path by default.
### Workarounds
Developers should ensure usage cannot allow (in any case) a user to pass a free input directly to the Snappy library.
```php
// Bad example
$pdf = new Knp\Snappy\Pdf(‘/usr/
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published