CVE-2026-49260
published 2026-06-19CVE-2026-49260: PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell…
PriorityP339high8.2CVSS 3.1
AVLACLPRHUINSCCHIHAH
EPSS
0.15%
4.9th percentile
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pontedilana | php-weasyprint | < 2.5.1 | 2.5.1 |
| pontedilana | php-weasyprint | >= 0 < 2.5.1 | 2.5.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
ghsa·2026-06-26
CVE-2026-49260 [HIGH] CWE-78 php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
### Summary
`pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandli
VulDB
pontedilana php-weasyprint up to 2.5.0 Setting escapeshellarg binary os command injection (GHSA-vpr4-p6fq-85jc)
vuldb·2026-06-19
CVE-2026-49260 [CRITICAL] pontedilana php-weasyprint up to 2.5.0 Setting escapeshellarg binary os command injection (GHSA-vpr4-p6fq-85jc)
A vulnerability identified as critical has been detected in pontedilana php-weasyprint up to 2.5.0. Affected is the function escapeshellarg of the file /usr/local/bin/weasyprint of the component Setting Handler. The manipulation of the argument binary leads to os command injection.
This vulnerability is uniquely identified as CVE-2026-49260. Local access is required to approach this attack. No exploit exists.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/KnpLabs/snappy/security/advisories/GHSA-vpr4-p6fq-85jchttps://github.com/pontedilana/php-weasyprint/commit/9e86a2b317237fc5728f712f5037164530117f7ehttps://github.com/pontedilana/php-weasyprint/releases/tag/2.5.1https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-f5gc-qxf8-mh9ghttps://github.com/KnpLabs/snappy/security/advisories/GHSA-vpr4-p6fq-85jchttps://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-f5gc-qxf8-mh9g
2026-06-19
Published