CVE-2026-49359
Deferred Deferred - Pending Action

Server-Side Request Forgery in PhpWeasyPrint PDF Generation

Vulnerability report for CVE-2026-49359, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/...`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-23
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pontedilana php_weasyprint to 2.6.0 (exc)
knplabs snappy to 1.6.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in php-weasyprint allows Server-Side Request Forgery (SSRF) and local file disclosure, which can lead to unauthorized access to internal HTTP endpoints, cloud metadata, or local files. Such unauthorized data access and exfiltration could potentially expose sensitive or personal data.

This exposure risks violating data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal and sensitive information. If exploited, the vulnerability could lead to non-compliance due to unauthorized data disclosure.

The fix introduced in version 2.6.0 restricts URL schemes to http and https by default, preventing access to local files and internal resources, thereby mitigating the risk of data leakage and helping maintain compliance with these standards.

Executive Summary

CVE-2026-49359 is a vulnerability in the php-weasyprint PHP library that allows Server-Side Request Forgery (SSRF) and local file disclosure. Before version 2.6.0, the library fetches content server-side using file_get_contents() for option values that look like URLs, without restricting the URL schemes. This means an attacker who can control the 'attachment' option value can cause the server to fetch arbitrary URLs, including internal HTTP endpoints, cloud metadata, or local files using schemes like file:// or php://. The fetched content is then embedded into the generated PDF, allowing exfiltration of sensitive data.

The vulnerability arises because the library uses FILTER_VALIDATE_URL, which accepts multiple URL schemes such as http, https, ftp, file, and PHP stream wrappers. This lack of restriction enables attackers to exploit the attachment option to perform SSRF or local file disclosure.

The issue was fixed in php-weasyprint version 2.6.0 by restricting URL fetching to only allowed schemes (http and https by default) and treating other schemes as inline content, preventing unauthorized access to local files or internal resources.

Impact Analysis

This vulnerability can impact you by allowing an attacker who can influence the 'attachment' option value to perform Server-Side Request Forgery (SSRF) attacks or disclose local files on the server. SSRF can be used to access internal HTTP endpoints or cloud metadata services that are not normally accessible from outside, potentially exposing sensitive information or enabling further attacks.

Local file disclosure through schemes like file:// or php:// can allow attackers to read sensitive files on the server, such as configuration files, credentials, or other private data. The fetched content is embedded into the generated PDF, which can then be exfiltrated.

The attack requires the ability to influence the attachment option value, which may require some level of privilege or control over input parameters.

The CVSS score of 6.5 (Medium) reflects that the attack vector is network-based, requires low privileges, and no user interaction, with high confidentiality impact but no integrity or availability impact.

Detection Guidance

This vulnerability involves the php-weasyprint library fetching content server-side via file_get_contents() when the attachment option value looks like a URL with an unrestricted scheme. Detection involves identifying if your system uses php-weasyprint versions prior to 2.6.0 and if the attachment option is influenced by user input.

To detect exploitation attempts or presence of this vulnerability, you can monitor logs or network traffic for unusual outbound requests initiated by the PHP process to internal or local URLs, especially those with schemes like file://, php://, ftp://, or requests to internal metadata endpoints.

Suggested commands include searching your codebase or logs for usage of the attachment option with URL values, for example:

  • grep -r 'attachment' /path/to/your/php/code
  • grep -r 'file_get_contents' /path/to/your/php/code
  • Monitoring outgoing HTTP requests from your server, e.g., using tcpdump or similar tools:
  • tcpdump -i any -n host internal-ip or port 80 or port 443
  • Checking PHP error or access logs for suspicious activity involving URL fetching or PDF generation.
Mitigation Strategies

The primary mitigation is to upgrade php-weasyprint to version 2.6.0 or later, where the vulnerability is fixed by restricting allowed URL schemes to http and https by default.

If upgrading immediately is not possible, you should ensure that user input cannot influence the attachment option value, or sanitize and validate URLs to allow only safe schemes.

Additionally, configure the library to explicitly set allowed URL schemes via the new constructor argument $allowedSchemes to restrict fetching to safe protocols.

Monitor and restrict outbound network requests from your PHP environment to prevent SSRF exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart