CVE-2026-49358
published 2026-06-19CVE-2026-49358: PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public…
PriorityP411low3CVSS 3.1
AVLACHPRHUINSUCNILAL
EPSS
0.11%
1.6th percentile
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pontedilana | php-weasyprint | < 2.6.0 | 2.6.0 |
| pontedilana | php-weasyprint | >= 0 < 2.6.0 | 2.6.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
ghsa·2026-06-26
CVE-2026-49358 [LOW] CWE-73 PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
### Summary
`AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown.
This mirrors the KnpLabs/snappy issue [GHSA-87qc-37cw-84h4](https://github.com/KnpLabs/snappy/security/advisories/GHSA-87qc-37cw-84h4), patched in snappy 1.7.2.
### Affected versions
`pontedilana/php-weasyprint` versions `temporaryFiles as $file) {
$this->unlink($file);
}
}
```
No path-contai
VulDB
pontedilana php-weasyprint up to 2.5.x removeTemporaryFiles temporaryFiles file inclusion (GHSA-87qc-37cw-84h4 / EUVD-2026-38036)
vuldb·2026-06-19
CVE-2026-49358 [LOW] pontedilana php-weasyprint up to 2.5.x removeTemporaryFiles temporaryFiles file inclusion (GHSA-87qc-37cw-84h4 / EUVD-2026-38036)
A vulnerability identified as problematic has been detected in pontedilana php-weasyprint up to 2.5.x. The affected element is the function removeTemporaryFiles. This manipulation of the argument temporaryFiles causes file inclusion.
This vulnerability is tracked as CVE-2026-49358. The attack is restricted to local execution. No exploit exists.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/KnpLabs/snappy/security/advisories/GHSA-87qc-37cw-84h4https://github.com/pontedilana/php-weasyprint/commit/6d328ffd3bcb800c7c2e8a594b1bff0c099c9391https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-5g9f-cwwg-4p8ghttps://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-5g9f-cwwg-4p8g
2026-06-19
Published