Server-Side Request Forgery in PhpWeasyPrint PHP Library
CVE-2026-49359

6.5MEDIUM

Key Information:

Vendor

Pontedilana

Status
PHP-weasyprint
Vendor
CVE Published:
19 June 2026

What is CVE-2026-49359?

The PhpWeasyPrint library, used for generating PDFs from URLs or HTML content, contains a vulnerability that allows an attacker to exploit the attachment option by injecting malicious URLs. This vulnerability enables a Server-Side Request Forgery attack, which can lead to access to internal HTTP endpoints, exfiltration of sensitive data, and local file disclosures through unsafe URL schemes. The issue arises from the use of file_get_contents() without proper URL scheme restrictions prior to version 2.6.0. Users are strongly advised to upgrade to the patched version to mitigate these risks.

Affected Version(s)

php-weasyprint < 2.6.0

References

https://github.com/pontedilana/php-weasyprint/security/ad...
x_refsource_CONFIRM
https://github.com/KnpLabs/snappy/security/advisories/GHS...
x_refsource_MISC
https://github.com/pontedilana/php-weasyprint/commit/9582...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.