Description
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Published: 2026-06-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PhpWeasyPrint is a PHP library used to generate PDFs from URLs or HTML content. A case‑sensitive blacklist was used to block the 'phar://' stream wrapper in the output filename, but PHP stream wrappers are case‑insensitive. An attacker can supply 'PHAR://', 'Phar://', or other uppercase variations to bypass the check and cause the library to call file_exists on a crafted PHAR archive. In PHP 7.4+ this leads to deserialization of the archive’s metadata, allowing arbitrary code execution. The flaw is a deserialization vulnerability (CWE‑502). Version 2.6.0 of the library contains the patch that removes the case‑sensitive bypass.

Affected Systems

The vulnerable product is the PHP‑based library pontedilana/php-weasyprint. All releases before version 2.6.0, which include support for PHP 7.4 and newer, are affected. The library is typically embedded in web applications or scripts that generate PDFs, so any system using those versions is at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. Successful exploitation requires that the application supply a user‑controlled output filename to the library; the vulnerability is not exposed as a standalone network service. Based on the description, it is inferred that an attacker can influence the filename through web forms, APIs, or other input mechanisms. If the check is bypassed, the attacker gains remote code execution on the host running the PHP process.

Generated by OpenCVE AI on June 19, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade php-weasyprint to version 2.6.0 or newer, which removes the case‑sensitive phar:// bypass.
  • Sanitize any user‑supplied output filenames before passing them to the library by rejecting or normalizing strings that match the pattern phar:// in any case.
  • If an immediate upgrade is not possible, isolate the PDF generation functionality in a sandboxed environment that prevents PHAR stream wrapper access or remove the PHP Phar stream from the runtime.

Generated by OpenCVE AI on June 19, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2fmj-p74r-3wjm PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
History

Mon, 22 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pontedilana
Pontedilana php-weasyprint
Vendors & Products Pontedilana
Pontedilana php-weasyprint

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Title PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Pontedilana Php-weasyprint
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T14:23:32.894Z

Reserved: 2026-05-28T20:07:58.862Z

Link: CVE-2026-49286

cve-icon Vulnrichment

Updated: 2026-06-22T14:22:42.953Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:35:01Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data