CVE-2026-46643
Deferred Deferred - Pending Action
Command Injection in Snappy PHP Library

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. This issue has been patched in version 1.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-46643
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
knplabs snappy to 1.7.1 (exc)
snappy snappy to 1.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-46643 affects the Snappy PHP library (versions up to 1.7.0) and involves an incorrect check of whether the binary path is executable. Normally, the binary path is safely escaped using escapeshellarg(), which wraps it in quotes. However, due to an inverted is_executable() check, the safe code branch is never executed, causing the raw, unescaped binary path to be used directly in shell commands.

This flaw allows command injection if the binary path is influenced by user input, environment variables, or request data. An attacker could supply a malicious binary path containing additional commands, leading to arbitrary command execution as the PHP process.

The issue was patched in version 1.7.1 by fixing the check to prevent passing unescaped arguments via the binary string.

Impact Analysis

This vulnerability can lead to remote code execution if an attacker can control or influence the binary path used by the Snappy library. By injecting malicious commands into the binary path, an attacker could execute arbitrary commands on the server running the PHP process.

Such exploitation could compromise the server's integrity, allowing unauthorized access, data manipulation, or further attacks within the environment.

Detection Guidance

This vulnerability can be detected by checking if the binary path used by the Snappy PHP library is improperly escaped and potentially user-controlled. Specifically, verify if the binary path (e.g., /usr/bin/wkhtmltopdf) is sourced from environment variables, user input, or request data without proper validation.

A practical approach is to manually verify if the binary path is executable before instantiating the Pdf object in your PHP code.

While no direct network commands are provided, you can audit your PHP application code for usage of Snappy versions <=1.7.0 and check for any environment variables or configuration parameters that influence the binary path.

  • Use PHP code to check if the binary path is executable, for example: `is_executable('/usr/bin/wkhtmltopdf')`.
  • Search your codebase or environment for user-influenced variables that set the binary path, e.g., `grep -r 'wkhtmltopdf' .` or `env | grep WKHTMLTOPDF`.
Mitigation Strategies

The immediate mitigation step is to upgrade the Snappy PHP library to version 1.7.1 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, manually verify that the binary path used is executable and not influenced by user input or environment variables derived from request data.

Avoid concatenating or using user-controlled fragments in the binary path configuration.

Review your application configuration and environment to ensure the binary path is hardcoded or securely set.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart