Description
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. This issue has been patched in version 1.7.1.
Published: 2026-06-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Snappy is a PHP library used to generate thumbnails, snapshots or PDFs from web content. The flaw stems from a logic error in which the filename provided to escapeshellarg is never properly shell‑escaped on POSIX systems. The binary path passed to the system command is therefore taken literally, including any surrounding single quotes. This means that if an attacker can influence the binary path—through configuration files, environment variables, or request‑derived values—the attacker can inject arbitrary shell commands. The rest of the command line arguments are escaped correctly, so the injection vector is limited to the binary path. The impact is the potential execution of arbitrary commands at the level of the account running the PHP process, which could lead to full server compromise or data exfiltration.

Affected Systems

The vulnerability is present in the KnpLabs snappy PHP library in all releases prior to version 1.7.1. Users of older versions who rely on Snappy for rendering PDFs or images should be aware that any user‑controlled configuration or environment affecting the binary path could be exploited.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The EPSS score is not available, but the lack of a documented exploit in the KEV list does not lessen the risk because the flaw is a classic command injection scenario. Attackers can craft input that sets the binary path to a malicious value, causing the underlying system command to execute arbitrary code. The vulnerability can be exploited remotely through any public interface that allows the attacker to influence configuration or environment settings associated with Snappy.

Generated by OpenCVE AI on June 10, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Snappy library to version 1.7.1 or later, in which the binary path validation and escaping are correctly implemented.
  • If an upgrade is not immediately possible, remove any user‑controlled inputs that determine the binary path and hard‑code the path to a trusted executable value.
  • Configure the web server to run the Snappy process under the least privileged account to limit the damage if command injection is still possible.

Generated by OpenCVE AI on June 10, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vpr4-p6fq-85jc Snappy: Binary path is never shell-escaped due to an inverted is_executable check
History

Thu, 11 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Knplabs
Knplabs snappy
Vendors & Products Knplabs
Knplabs snappy

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. This issue has been patched in version 1.7.1.
Title Snappy: Binary path is never shell-escaped due to an inverted is_executable check
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T16:15:41.695Z

Reserved: 2026-05-15T20:11:54.584Z

Link: CVE-2026-46643

cve-icon Vulnrichment

Updated: 2026-06-11T12:29:13.066Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T20:17:28.880

Modified: 2026-06-11T17:16:34.370

Link: CVE-2026-46643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:00:08Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')