pontedilana/php-weasyprint Security Advisories for 2.2.0 (4)
-
[MEDIUM] PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
PKSA-q4hm-4pvf-f13w CVE-2026-49359 GHSA-x8g9-h984-pc36
Affected version: <=2.5.1
Reported by:
GitHub -
[LOW] PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles
PKSA-69w1-spwq-4gvw CVE-2026-49358 GHSA-5g9f-cwwg-4p8g
Affected version: <=2.5.1
Reported by:
GitHub -
[HIGH] PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
PKSA-xz12-xgjc-r2wn CVE-2026-49286 GHSA-2fmj-p74r-3wjm
Affected version: <=2.5.1
Reported by:
GitHub -
[HIGH] php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
PKSA-p9k4-v53c-c7zd CVE-2026-49260 GHSA-f5gc-qxf8-mh9g
Affected version: <=2.5.0
Reported by:
GitHub