Shell Command Injection in PhpWeasyPrint by Vendor Pontedilana
CVE-2026-49260

8.2HIGH

Key Information:

Vendor

Pontedilana

Status
PHP-weasyprint
Vendor
CVE Published:
19 June 2026

What is CVE-2026-49260?

The PhpWeasyPrint library, utilized for generating PDFs from URLs or HTML pages, has a vulnerability stemming from improper handling of shell commands. Specifically, prior to version 2.5.1, the library incorrectly checks whether the WeasyPrint binary can be executed. Due to the way escapeshellarg() interacts with POSIX environments, it can lead to a situation where the is_executable() method checks for a nonexistent executable file. This flaw enables an attacker to exploit the raw binary path, especially when it is sourced from configuration files or environment variables. This oversight could lead to unauthorized command execution, highlighting the importance of upgrading to version 2.5.1, which rectifies this issue.

Affected Version(s)

php-weasyprint < 2.5.1

References

https://github.com/pontedilana/php-weasyprint/security/ad...
x_refsource_CONFIRM
https://github.com/KnpLabs/snappy/security/advisories/GHS...
x_refsource_MISC
https://github.com/pontedilana/php-weasyprint/commit/9e86...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.