PHP Library Flaw Leads to Remote Code Execution in Pdf Generation Tool by Pontedilana
CVE-2026-49286

8.1HIGH

Key Information:

Vendor

Pontedilana

Status
PHP-weasyprint
Vendor
CVE Published:
19 June 2026

What is CVE-2026-49286?

The PhpWeasyPrint library, a PHP solution for generating PDFs from URLs or HTML pages, exhibits a security vulnerability prior to version 2.6.0. The issue arises from the library's inadequate guarding of the output filename against the case-insensitive nature of the phar:// PHP stream wrapper. Attackers can exploit this flaw using various case variations of the PHAR scheme, potentially triggering the fileExists() function. This can lead to deserialization of malicious PHAR archive metadata when used with PHP version 7.4 or higher, resulting in remote code execution. A patch addressing this issue has been implemented in version 2.6.0 of PhpWeasyPrint.

Affected Version(s)

php-weasyprint < 2.6.0

References

https://github.com/pontedilana/php-weasyprint/security/ad...
x_refsource_CONFIRM
https://github.com/KnpLabs/snappy/security/advisories/GHS...
x_refsource_MISC
https://github.com/pontedilana/php-weasyprint/commit/d1aa...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.