CVE-2026-49358: CWE-73: External Control of File Name or Path in pontedilana php-weasyprint
PhpWeasyPrint versions prior to 2.6.0 have a vulnerability where an attacker with code access can insert arbitrary file paths into a public array that is later used to delete files without path validation. This can lead to unintended file deletions on script shutdown. Version 2.6.0 includes a patch addressing this issue.
AI Analysis
Technical Summary
PhpWeasyPrint is a PHP library for generating PDFs from URLs or HTML pages. In versions before 2.6.0, the public array AbstractGenerator::$temporaryFiles can be manipulated by any code holding a reference to the generator instance. The removeTemporaryFiles() method, called during object destruction and shutdown, calls unlink() on all paths in this array without verifying that they reside within the intended temporary folder. This allows external control of file paths leading to potential deletion of arbitrary files. The issue is fixed in version 2.6.0.
Potential Impact
An attacker with the ability to manipulate the generator instance can cause deletion of arbitrary files on the filesystem during script shutdown. The impact is limited by the need for local code execution with high privileges (as indicated by CVSS vector AV:L/PR:H). The vulnerability does not affect confidentiality but can cause integrity and availability loss by deleting files.
Mitigation Recommendations
Upgrade to PhpWeasyPrint version 2.6.0 or later, which contains a patch that restricts file deletion to the temporary folder. Since no official patch link or advisory is provided, verify the upgrade from the vendor or trusted sources. Until upgraded, restrict access to the generator instance to trusted code only to prevent injection of arbitrary paths.
CVE-2026-49358: CWE-73: External Control of File Name or Path in pontedilana php-weasyprint
Description
PhpWeasyPrint versions prior to 2.6.0 have a vulnerability where an attacker with code access can insert arbitrary file paths into a public array that is later used to delete files without path validation. This can lead to unintended file deletions on script shutdown. Version 2.6.0 includes a patch addressing this issue.
CVSS v3.1
Score 3.0low
Affected software
pkg:composer/pontedilana/php-weasyprintRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PhpWeasyPrint is a PHP library for generating PDFs from URLs or HTML pages. In versions before 2.6.0, the public array AbstractGenerator::$temporaryFiles can be manipulated by any code holding a reference to the generator instance. The removeTemporaryFiles() method, called during object destruction and shutdown, calls unlink() on all paths in this array without verifying that they reside within the intended temporary folder. This allows external control of file paths leading to potential deletion of arbitrary files. The issue is fixed in version 2.6.0.
Potential Impact
An attacker with the ability to manipulate the generator instance can cause deletion of arbitrary files on the filesystem during script shutdown. The impact is limited by the need for local code execution with high privileges (as indicated by CVSS vector AV:L/PR:H). The vulnerability does not affect confidentiality but can cause integrity and availability loss by deleting files.
Mitigation Recommendations
Upgrade to PhpWeasyPrint version 2.6.0 or later, which contains a patch that restricts file deletion to the temporary folder. Since no official patch link or advisory is provided, verify the upgrade from the vendor or trusted sources. Until upgraded, restrict access to the generator instance to trusted code only to prevent injection of arbitrary paths.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.904Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a355aaef198dc38c1711ecc
Added to database: 6/19/2026, 3:05:18 PM
Last enriched: 6/19/2026, 3:20:17 PM
Last updated: 6/19/2026, 4:06:16 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.