Description
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/...`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Published: 2026-06-19
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PhpWeasyPrint, a PHP library for generating PDFs from a URL or HTML, processes option values with file_get_contents() when they look like URLs. The attachment option is a reachable sink that accepts any value validated by FILTER_VALIDATE_URL, which includes http, https, ftp, file, and PHP stream wrappers such as php://. Because the library does not restrict the scheme, an attacker who can influence the attachment value can cause the server to fetch arbitrary URLs or local files. This results in a Server‑Side Request Forgery that can reach internal HTTP endpoints or cloud metadata services, and a local file disclosure that can read files via file:// or php://filter wrappers. The fetched data is then embedded in generated PDF and exfiltrated as an attachment, effectively exposing sensitive data or internal services.

Affected Systems

The vulnerability affects the PHP library pontedilana/php-weasyprint in all releases prior to version 2.6.0. Any application that incorporates this library and accepts untrusted values for the attachment option is potentially impacted.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as a moderate severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. However, because the sink is server‑side and the input is widely derived from user data, an attacker can exploit the issue if they can influence the attachment value, making the risk contingent on the application's attack surface and the ability to supply malicious configuration.

Generated by OpenCVE AI on June 19, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pontedilana/php-weasyprint to version 2.6.0 or later where the URL scheme validation restriction has been added
  • If an upgrade is not immediately possible, configure your application to reject or sanitize the attachment option before passing it to the library, blocking unsupported schemes such as file:// and php://
  • Implement additional input validation or whitelisting to allow only http, https, or trusted hostnames for attachment values
  • Monitor application logs for unexpected file_get_contents calls or downloads from internal resources to detect potential misuse

Generated by OpenCVE AI on June 19, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/...`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
Title PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T17:06:12.737Z

Reserved: 2026-05-29T14:35:45.904Z

Link: CVE-2026-49359

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:00:11Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)