CVE-2026-49260
Received Received - Intake
Command Injection in PhpWeasyPrint Library

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.5.1, `pontedilana/php-weasyprint` builds the shell command for WeasyPrint by passing the binary path through `escapeshellarg()` first and then checking the *quoted* result with `is_executable()`. On POSIX `escapeshellarg('/usr/local/bin/weasyprint')` returns `'/usr/local/bin/weasyprint'` with the single-quote characters as part of the string, so `is_executable()` looks for a file whose actual name includes those quotes. That file never exists, the "safe" branch is dead code, and the raw `$binary` string (set via the constructor or `setBinary()`) flows directly into `Symfony\Component\Process\Process::fromShellCommandline()`. Any deployment whose binary path is sourced from configuration, an environment variable, or a per-tenant setting reaches a shell-command-injection sink. The library is documented as a one-to-one substitute for KnpLabs/snappy and inherited the exact pre-fix codepath KnpLabs patched in GHSA-vpr4-p6fq-85jc. PhpWeasyPrint version 2.5.1 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49260
EUVD
EUVD-2026-38048
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pontedilana php-weasyprint to 2.5.1 (exc)
knplabs snappy to 1.7.0 (inc)
knplabs snappy to 1.7.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in php-weasyprint versions prior to 2.5.1 arises from improper handling of the WeasyPrint binary path when building shell commands. The library uses escapeshellarg() to quote the binary path, but then checks the quoted string with is_executable(), which fails because the quotes become part of the filename. This causes the safe code branch to never execute, allowing the raw, unescaped binary path to be passed directly to the shell command execution function.

If the binary path is sourced from configuration, environment variables, or per-tenant settings, an attacker can supply a malicious binary path containing shell commands. This leads to shell command injection, enabling arbitrary command execution with the privileges of the PHP process.

The issue is similar to a previously patched vulnerability in the KnpLabs/snappy library and was fixed in php-weasyprint version 2.5.1 by properly validating and escaping the binary path before use.

Impact Analysis

This vulnerability can lead to shell command injection, allowing an attacker to execute arbitrary commands on the server running php-weasyprint.

  • Execution of malicious commands with the privileges of the PHP process.
  • Potential full compromise of the server environment.
  • Data theft, data loss, or unauthorized access to sensitive information.
  • Disruption of service or system integrity.
Detection Guidance

This vulnerability can be detected by checking if the php-weasyprint library version in use is 2.5.0 or below, as these versions contain the flawed logic in handling the WeasyPrint binary path.

Specifically, detection involves verifying whether the binary path used by php-weasyprint is sourced from configuration, environment variables, or per-tenant settings and whether it is properly validated and escaped before execution.

A practical approach is to check if the binary path is executable without quotes, since the vulnerability arises from an incorrect is_executable() check on a quoted path.

  • Run a command to check if the binary path is executable without quotes, for example: `is_executable('/usr/local/bin/weasyprint')` in PHP or `test -x /usr/local/bin/weasyprint` in a shell.
  • Inspect environment variables or configuration files for the binary path to see if they contain unexpected or malicious content that could lead to command injection.
  • Look for suspicious shell commands or unexpected files created by potential exploitation, e.g., check for unexpected files like `/tmp/snappy_rce` as seen in similar vulnerabilities.
Mitigation Strategies

The immediate mitigation step is to upgrade the php-weasyprint library to version 2.5.1 or later, where the vulnerability has been fixed.

The fix involves modifying the buildCommand() function to properly verify that the binary path is executable before escaping it and using it in shell commands.

If upgrading immediately is not possible, as a workaround, manually verify that the binary path is executable and safe before passing it to the php-weasyprint constructor or setBinary() method.

Additionally, ensure that the binary path is not sourced from untrusted user input, environment variables, or per-tenant settings without validation.

Consider applying the patch from the official repository that introduces a protected method to validate and escape the binary path, throwing an exception if the binary is not executable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart