Description
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.
Published: 2026-06-19
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PhpWeasyPrint builds PDF generation commands by quoting the binary path and then incorrectly checking if the quoted string is executable. Because is_executable() looks for a file name that includes the surrounding quotes, the safe branch never fires. Consequently, the raw binary path supplied through configuration, environment, or per‑tenant settings is passed directly to the shell command, allowing an attacker to inject arbitrary commands into the process. This constitutes a shell command injection and the associated CWE‑78.

Affected Systems

Installations of the pontedilana/php-weasyprint library that run versions older than 2.5.1 are affected. Any deployment that obtains the binary path from configuration, an environment variable, or a per‑tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre‑fix codepath KnpLabs patched in GHSA‑vpr4‑p6fq‑85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity with potential for remote code execution. The EPSS is not available, but the vulnerability remains exploitable via standard command‑injection techniques once the configuration is compromised. The library is not listed in the CISA KEV catalog, but the risk is significant for systems that expose the binary path to untrusted sources.

Generated by OpenCVE AI on June 19, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the php-weasyprint package to version 2.5.1 or later to apply the official fix.
  • Verify that any configuration or environment variable used to specify the WeasyPrint binary path is sourced from a trusted location and is not influenced by user input.
  • Restrict the execution context of the library, for example by running it inside a sandboxed environment or container that limits the available shell commands and paths.

Generated by OpenCVE AI on June 19, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f5gc-qxf8-mh9g php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
History

Mon, 22 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pontedilana
Pontedilana php-weasyprint
Vendors & Products Pontedilana
Pontedilana php-weasyprint

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.
Title PhpWeasyPrint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Pontedilana Php-weasyprint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T19:45:22.647Z

Reserved: 2026-05-28T14:33:01.179Z

Link: CVE-2026-49260

cve-icon Vulnrichment

Updated: 2026-06-22T19:44:50.998Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')