Description
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.
Published: 2026-06-19
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PhpWeasyPrint builds PDF generation commands by quoting the binary path and then incorrectly checking if the quoted string is executable. Because is_executable() looks for a file name that includes the surrounding quotes, the safe branch never fires. Consequently, the raw binary path supplied through configuration, environment, or per‑tenant settings is passed directly to the shell command, allowing an attacker to inject arbitrary commands into the process. This constitutes a shell command injection and the associated CWE-78.

Affected Systems

Installations of the pontedilana/php-weasyprint library that run versions older than 2.5.1 are affected. Any deployment that obtains the binary path from external configuration, environment variables, or per‑tenant settings is vulnerable. The 2.5.1 release contains the patch that removes the inverted guard and correctly validates the binary path.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity with potential for remote code execution. The EPSS is not available, but the vulnerability remains exploitable via standard command‑injection techniques once the configuration is compromised. The library is not listed in the CISA KEV catalog, but the risk is significant for systems that expose the binary path to untrusted sources.

Generated by OpenCVE AI on June 19, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the php-weasyprint package to version 2.5.1 or later to apply the official fix.
  • Verify that any configuration or environment variable used to specify the WeasyPrint binary path is sourced from a trusted location and is not influenced by user input.
  • Restrict the execution context of the library, for example by running it inside a sandboxed environment or container that limits the available shell commands and paths.

Generated by OpenCVE AI on June 19, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.
Title PhpWeasyPrint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T16:59:01.208Z

Reserved: 2026-05-28T14:33:01.179Z

Link: CVE-2026-49260

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:00:11Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')