PHP Library Vulnerability in PhpWeasyPrint Affects PDF Generation
CVE-2026-49358

3LOW

Key Information:

Vendor

Pontedilana

Status
PHP-weasyprint
Vendor
CVE Published:
19 June 2026

What is CVE-2026-49358?

The PhpWeasyPrint library, which facilitates PDF generation via URLs or HTML pages, contains an improper input validation issue up until version 2.6.0. The vulnerability stems from the public exposure of the AbstractGenerator::$temporaryFiles array and the method removeTemporaryFiles(), which lacks path verification before executing the unlink() command. This design flaw could allow an attacker to manipulate the array by inserting arbitrary paths, leading to the potential deletion of unintended files during script termination. The vulnerability has been addressed in version 2.6.0 with an appropriate patch.

Affected Version(s)

php-weasyprint < 2.6.0

References

https://github.com/pontedilana/php-weasyprint/security/ad...
x_refsource_CONFIRM
https://github.com/KnpLabs/snappy/security/advisories/GHS...
x_refsource_MISC
https://github.com/pontedilana/php-weasyprint/commit/6d32...
x_refsource_MISC

CVSS V3.1

Score:
3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.