Executive Summary

CVE-2026-49358 is a vulnerability in the php-weasyprint PHP library that allows arbitrary file deletion at script shutdown. The issue exists because the class AbstractGenerator has a public array property called $temporaryFiles, which stores file paths to be deleted when the script ends. The method removeTemporaryFiles(), called during object destruction or shutdown, deletes all files listed in this array without verifying if the files are inside the intended temporary folder.

An attacker who can manipulate the $temporaryFiles array can insert arbitrary file paths, causing those files to be deleted when the script shuts down. This can lead to unintended deletion of files outside the temporary directory.

The vulnerability was fixed in php-weasyprint version 2.6.0 by modifying removeTemporaryFiles() to verify that each file path is within the designated temporary folder before deletion, preventing deletion of arbitrary files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with local access and the ability to manipulate the $temporaryFiles array to delete arbitrary files on the system where php-weasyprint is running.

The impact is limited by the privileges of the PHP process user and requires high attack complexity and privileges, making direct exploitation unlikely without other vulnerabilities.

However, if combined with other vulnerabilities such as file disclosure or deserialization attacks, an attacker could delete sensitive files to cover their tracks or escalate privileges, potentially causing data loss or service disruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the manipulation of the public $temporaryFiles array in the PhpWeasyPrint AbstractGenerator class, which can lead to arbitrary file deletion at script shutdown. Detection involves checking if any code or process has the ability to modify this array or if unexpected file deletions occur during script shutdown.

Since the vulnerability requires local access and the ability to influence the $temporaryFiles property within the same request, detection can focus on monitoring PHP scripts using PhpWeasyPrint versions prior to 2.6.0 for suspicious modifications to this property.

Suggested commands to help detect potential exploitation or presence of the vulnerability include:

• Review PHP error logs and application logs for unexpected file deletions or unlink() errors.
• Use grep or similar tools to search for usage or modification of the $temporaryFiles property in your PHP codebase: grep -r '\$temporaryFiles' /path/to/phpweasyprint
• Monitor file system activity for deletions in directories outside the expected temporary folder using audit tools like auditd or inotifywait.
• Check the version of php-weasyprint installed by running composer show phpweasyprint/phpweasyprint or inspecting the vendor directory to confirm if it is older than 2.6.0.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade php-weasyprint to version 2.6.0 or later, where the vulnerability is patched.

Version 2.6.0 includes a fix that ensures the removeTemporaryFiles() method only deletes files located within the designated temporary folder by verifying the real path of each file before deletion.

If upgrading immediately is not possible, restrict access to the PHP process and code to prevent unauthorized manipulation of the $temporaryFiles property.

Additionally, review and harden your application to prevent other vulnerabilities that could be combined with this issue, such as file disclosure or deserialization attacks.

Monitor file system permissions and audit logs to detect any suspicious file deletions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker with local access and sufficient privileges to delete arbitrary files on the system by manipulating the public $temporaryFiles array. This could be exploited to delete sensitive files, such as configuration files or logs, potentially covering tracks or escalating privileges.

While the vulnerability itself does not directly disclose personal or protected data, the ability to delete files arbitrarily could impact the integrity and availability of data, which are important aspects of compliance with standards like GDPR and HIPAA.

Specifically, deletion of audit logs or configuration files could hinder forensic investigations or breach incident response requirements mandated by these regulations.

However, exploitation requires prior local access and the ability to manipulate the $temporaryFiles property, making direct exploitation less likely without other vulnerabilities.

Therefore, this vulnerability poses an indirect risk to compliance by potentially enabling attackers to cover tracks or disrupt system integrity, which could violate regulatory requirements for data protection and incident management.

Useful 0 Not Useful 0