CVE-2026-49286
published 2026-06-19CVE-2026-49286: PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output…
PriorityP350high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.56%
42.1th percentile
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pontedilana | php-weasyprint | >= 0 < 2.6.0 | 2.6.0 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
ghsa·2026-06-26·CVSS 9.8
CVE-2026-49286 [CRITICAL] CWE-502 PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
### Summary
`pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist:
```php
if (0 === \strpos($filename, 'phar://')) {
throw new \InvalidArgumentException('The output file cannot be a phar archive.');
}
```
PHP stream wrappers are **case-insensitive**, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115.
The same issue and fix were handled upstream in
VulDB
pontedilana php-weasyprint up to 2.5.x PHAR fileExists deserialization (GHSA-92rv-4j2h-8mjj)
vuldb·2026-06-19
CVE-2026-49286 [LOW] pontedilana php-weasyprint up to 2.5.x PHAR fileExists deserialization (GHSA-92rv-4j2h-8mjj)
A vulnerability classified as problematic has been found in pontedilana php-weasyprint up to 2.5.x. The affected element is the function fileExists of the component PHAR Handler. The manipulation leads to deserialization.
This vulnerability is referenced as CVE-2026-49286. Remote exploitation of the attack is possible. No exploit is available.
It is recommended to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjjhttps://github.com/pontedilana/php-weasyprint/commit/d1aa487722b5a3cab9b222b85fdb5608a5a550c3https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-2fmj-p74r-3wjmhttps://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-2fmj-p74r-3wjm
2026-06-19
Published