CVE-2026-49358

June 19, 2026, 3:16 p.m.

3.0
Low

Description

PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generator instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.

Product(s) Impacted

Vendor Product Versions
Phpweasyprint
  • Phpweasyprint
  • *, 2.6.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-73
External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a phpweasyprint phpweasyprint / / / / / / / /
a phpweasyprint phpweasyprint 2.6.0 / / / / / / /

References

https://github.com/KnpLabs/snappy/security/advisories/GHSA-87qc-37cw-84h4
https://github.com/pontedilana/php-weasyprint/commit/6d328ffd3bcb800c7c2e8a594b1bff0c099c9391
https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0
https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-5g9f-cwwg-4p8g

Tags

[email protected]
CWE-73
2026-06-19
CVE-2026-49358

CVSS Score

3.0 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: LOW

    • CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

    View Vector String

Timeline

Published: June 19, 2026, 3:16 p.m.
Last Modified: June 19, 2026, 3:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.