The vulnerability resides in Snappy, a PHP library that produces previews and PDFs from URLs or HTML content. The library accepts an xsl‑style‑sheet option that controls XML stylesheets. An attacker can supply an arbitrary URL or file path to this option. Because Snappy does not validate the input, the library will fetch the resource from the supplied location. This allows the attacker to read local files relative to the web root or host machine as well as issue arbitrary outbound HTTP or HTTPS connections within the network, exposing internal services. The weakness is a Server‑Side Request Forgery combined with Local File Inclusion (CWE‑918) and can lead to information disclosure and, in certain configurations, the execution of code on the server.

The affected product is KnpLabs Snappy before version 1.7.0. The library is commonly used in PHP web applications to generate thumbnails, snapshots or PDFs from external URLs or HTML. Any deployment that relies on a snippet of code that calls Snappy with a user‑controlled xsl‑style‑sheet argument is vulnerable. Systems running Snappy 1.6.2 or earlier are at risk; the latest released version 1.7.0 contains the fix.

The CVSS score of 6.9 indicates a medium severity risk. No EPSS score is available, but the lack of public exploit chatter and the requirement for a valid vulnerable URL or file path mean that exploitation is plausible but not trivial. The vulnerability is not cataloged in the CISA KEV list, so there has been no documented exploitation of this specific issue yet. The most likely attack vector is through a web form or API endpoint that forwards user‑supplied activity to Snappy, allowing the attacker to inject a malicious xsl‑style‑sheet value. When the target system has outbound network access, the SSRF component can reach internal services hidden behind firewalls. Organizations should treat this as a moderate risk pending patch, especially if the library processes user‑controlled input.