CVE-2026-49286
Received Received - Intake
Phar Deserialization RCE in PhpWeasyPrint Library

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist. PHP stream wrappers are case-insensitive, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports β€” PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). PhpWeasyPrint version 2.6.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49286
EUVD
EUVD-2026-38053
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pontedilana php_weasyprint 2.6.0
pontedilana php_weasyprint to 2.6.0 (exc)
knplabs knp_snappy to 1.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49286 is a security vulnerability in the PhpWeasyPrint PHP library, which generates PDFs from URLs or HTML pages. The issue arises because the library used a case-sensitive blacklist to block the 'phar://' stream wrapper in output filenames, but PHP stream wrappers are case-insensitive. This allowed attackers to bypass the blacklist using variations like 'PHAR://' or 'Phar://'. When the library calls file_exists() on such a filename, it triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution on PHP 7 versions.

The vulnerability is a bypass of a previous patch (CVE-2023-28115) and affects versions 2.5.1 and below of pontedilana/php-weasyprint. The exploit requires an attacker to control the output filename and place a malicious PHAR file on the filesystem, such as through an upload.

The fix replaces the case-sensitive blacklist with a scheme allow-list that checks the lowercased scheme parsed from the filename, rejecting any non-'file' scheme before file_exists() is called.

Impact Analysis

This vulnerability can lead to remote code execution on servers running vulnerable versions of PhpWeasyPrint with PHP 7. An attacker who can control the output filename and upload a crafted PHAR archive can execute arbitrary code remotely.

The impact includes unauthorized access to the filesystem, execution of malicious code, and potential full compromise of the affected system.

The CVSS score is 8.1 (High), indicating a serious risk with network attack vector, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves the use of a crafted PHAR archive that exploits a case-insensitive bypass of the 'phar://' stream wrapper check in the php-weasyprint library. Detection involves monitoring for suspicious usage of PHAR stream wrappers in output filenames, especially variations like 'PHAR://', 'Phar://', etc., which bypass the case-sensitive blacklist.

To detect exploitation attempts, you can search your system or application logs for references to 'phar://' or its case variations in output filenames or parameters controlling file output.

Suggested commands include:

  • Grep for suspicious PHAR usage in logs: `grep -i phar /path/to/logs/*`
  • Monitor PHP error logs for unexpected deserialization or file_exists() calls involving PHAR streams.
  • Check for uploaded PHAR files on the filesystem that could be used in an attack: `find /path/to/uploads -iname '*.phar'`
  • Audit application code or configuration for output filename parameters that might be controllable by users and verify if they allow PHAR stream wrappers.
Mitigation Strategies

The primary mitigation is to upgrade php-weasyprint to version 2.6.0 or later, which contains a patch replacing the case-sensitive blacklist with a scheme allow-list that validates the output filename protocol in a case-insensitive manner.

This fix ensures only allowed schemes (such as 'file://') are accepted, preventing PHAR deserialization via manipulated output filenames.

Additional immediate steps include:

  • Restrict file uploads to disallow PHAR files or any potentially malicious archive formats.
  • Implement input validation to prevent user-controlled output filenames from including disallowed stream wrappers.
  • Monitor and restrict PHP stream wrappers usage in your environment to only those necessary and safe.
  • If upgrading immediately is not possible, consider applying the patch manually that enforces a scheme allow-list and rejects any non-'file' schemes before calling file_exists().
Compliance Impact

The vulnerability allows remote code execution and unauthorized filesystem access via PHAR deserialization, which can lead to compromise of confidentiality, integrity, and availability of data.

Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure handling of personal and health information.

Specifically, unauthorized remote code execution could lead to data breaches or unauthorized data manipulation, violating requirements for data protection and security controls mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart