CVE-2026-49359
published 2026-06-19CVE-2026-49359: PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.24%
15.3th percentile
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/...`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pontedilana | php-weasyprint | < 2.6.0 | 2.6.0 |
| pontedilana | php-weasyprint | >= 0 < 2.6.0 | 2.6.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
ghsa·2026-06-26
CVE-2026-49359 [MEDIUM] CWE-918 PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
### Summary
`pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a **local file disclosure** primitive (`file://`, `
VulDB
pontedilana php-weasyprint up to 2.5.x file_get_contents server-side request forgery (GHSA-c5fp-p67m-gq56)
vuldb·2026-06-19
CVE-2026-49359 [CRITICAL] pontedilana php-weasyprint up to 2.5.x file_get_contents server-side request forgery (GHSA-c5fp-p67m-gq56)
A vulnerability classified as critical was found in pontedilana php-weasyprint up to 2.5.x. The impacted element is the function file_get_contents. The manipulation results in server-side request forgery.
This vulnerability is identified as CVE-2026-49359. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/KnpLabs/snappy/security/advisories/GHSA-c5fp-p67m-gq56https://github.com/pontedilana/php-weasyprint/commit/9582dcf119a405276cf55e9e10bc577a887792cbhttps://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-x8g9-h984-pc36https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-x8g9-h984-pc36
2026-06-19
Published