CVE-2026-49260
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. In versions prior to 2.5.1, there is a vulnerability that allows shell command injection due to improper validation of binary paths.
Risk Assessment
Organizations may be exposed to injection attacks, potentially leading to unauthorized command execution on the system. If exploited, an attacker could gain access to sensitive data or take control of the system.
Recommendation
It is recommended to update the PhpWeasyPrint library to version 2.5.1 or later to mitigate this vulnerability. Additionally, review configurations that may source binary paths.
Original NVD description (English source)
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.

