CVE-2026-49358 - Vulnerability Details

Description

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

Published: 2026-06-19

Score: 3 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

PhpWeasyPrint is a PHP library that generates PDFs from URLs or HTML. In versions older than 2.6.0, the public array AbstractGenerator::$temporaryFiles can be appended with arbitrary paths. When the object is destroyed or the registered shutdown function runs, the framework calls unlink() on every entry without verifying that the file resides in the temporary directory. An attacker who can influence the contents of the array can therefore cause critical files to be deleted when the script terminates, leading to inadvertent data loss or service disruption. This vulnerability represents an integrity compromise rather than remote code execution, but its impact is potentially damaging if sensitive files are targeted.

Affected Systems

The affected product is PhpWeasyPrint from the vendor pontedilana. All releases before version 2.6.0 are vulnerable. The patch that removes the vulnerability was included in the 2.6.0 release, as referenced in the official changelog and commit record.

Risk and Exploitability

The CVSS score is 3, indicating low severity, and no EPSS value is currently available. The vulnerability is not listed in the CISA KEV catalog. An exploit requires the ability to manipulate the generator instance at runtime, which typically implies local code execution or injection into the script. There is no publicly documented remote exploitation mechanism, so the practical risk to remote attackers is limited, but an insider or compromised script could trigger the deletion on shutdown.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pontedilana

php-weasyprint

affected

Version	Status	Constraints
`< 2.6.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PhpWeasyPrint to version 2.6.0 or newer, which removes the public $temporaryFiles array and sanitizes unlink calls.
Audit existing code to identify any custom or legacy use of AbstractGenerator where $temporaryFiles may be populated, and adjust logic to prevent arbitrary paths from being added.
If upgrading is not immediately possible, provide a local wrapper around the generator that filters any entries added to $temporaryFiles to ensure they reside within the temporary directory before the script shuts down.

Generated by OpenCVE AI on June 19, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/KnpLabs/snappy/security/advisories/GHSA-87qc-37cw-84h4
https://github.com/pontedilana/php-weasyprint/commit/6d328ffd3bcb800c7c2e8a594b1bff0c099c9391
https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0
https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-5g9f-cwwg-4p8g

History

Fri, 19 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Title		PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
Weaknesses		CWE-73
References		https://github.com/KnpLabs/snappy/security/advisories/GHSA-87qc-37cw-84h4 https://github.com/pontedilana/php-weasyprint/commit/6d328ffd3bcb800c7c2e8a594b1bff0c099c9391 https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0 https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-5g9f-cwwg-4p8g
Metrics		cvssV3_1 `{'score': 3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-19T14:52:05.368Z

Updated: 2026-06-19T14:52:05.368Z

Reserved: 2026-05-29T14:35:45.904Z

Link: CVE-2026-49358

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T21:30:17Z

Weaknesses

CWE-73
External Control of File Name or Path

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object