CVE-2026-49359: CWE-918: Server-Side Request Forgery (SSRF) in pontedilana php-weasyprint
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/...`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
AI Analysis
Technical Summary
PhpWeasyPrint is a PHP library for generating PDFs from URLs or HTML pages. In versions before 2.6.0, the `attachment` option in the Pdf class uses `file_get_contents()` to fetch content when the value validates as a URL using PHP's FILTER_VALIDATE_URL. This filter accepts multiple schemes including http, https, ftp, file, and PHP stream wrappers like php://. Because there is no restriction on the URL scheme, an attacker able to influence the `attachment` value can perform SSRF attacks to internal or external resources and also local file disclosure via file:// or php:// filters. The fetched content is embedded as a PDF attachment, allowing exfiltration of sensitive data. The vulnerability is identified as CWE-918 and has a CVSS 3.1 base score of 6.5 (medium severity). The issue was fixed in php-weasyprint version 2.6.0.
Potential Impact
An attacker with the ability to control the `attachment` option can cause the server to make arbitrary requests to internal or external resources, including local files, potentially exposing sensitive information such as internal HTTP endpoints or cloud metadata. The exfiltrated data is embedded in the generated PDF as an attachment. This can lead to information disclosure without requiring user interaction. The vulnerability does not impact integrity or availability directly.
Mitigation Recommendations
Upgrade php-weasyprint to version 2.6.0 or later, where this SSRF vulnerability is patched. No other official remediation or temporary fixes are documented. If upgrading is not immediately possible, restrict or sanitize inputs controlling the `attachment` option to prevent URLs with unsafe schemes such as file:// or php://. However, the recommended and definitive mitigation is to apply the official patch by upgrading.
CVE-2026-49359: CWE-918: Server-Side Request Forgery (SSRF) in pontedilana php-weasyprint
Description
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` fetches the content of option values server-side via `file_get_contents()` when the value looks like a URL, without restricting the URL scheme. The `attachment` option of `Pdf` is the reachable sink: any value that passes `isOptionUrl()` (`filter_var(..., FILTER_VALIDATE_URL)`) is downloaded by the PHP process and embedded into the generated PDF. Because `FILTER_VALIDATE_URL` accepts `http`, `https`, `ftp`, `file` and PHP stream wrappers such as `php://`, an attacker who can influence the `attachment` value reaches both a **Server-Side Request Forgery** primitive (e.g. internal HTTP endpoints, cloud metadata) and a local file disclosure primitive (`file://`, `php://filter/...`), with the fetched bytes exfiltrated as a PDF attachment. This is the same class of issue KnpLabs/snappy patched for its `xsl-style-sheet` option in GHSA-c5fp-p67m-gq56. The library is documented as a one-to-one substitute for KnpLabs/snappy and shares the same code shape. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
CVSS v3.1
Score 6.5medium
Affected software
pkg:composer/pontedilana/php-weasyprintRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PhpWeasyPrint is a PHP library for generating PDFs from URLs or HTML pages. In versions before 2.6.0, the `attachment` option in the Pdf class uses `file_get_contents()` to fetch content when the value validates as a URL using PHP's FILTER_VALIDATE_URL. This filter accepts multiple schemes including http, https, ftp, file, and PHP stream wrappers like php://. Because there is no restriction on the URL scheme, an attacker able to influence the `attachment` value can perform SSRF attacks to internal or external resources and also local file disclosure via file:// or php:// filters. The fetched content is embedded as a PDF attachment, allowing exfiltration of sensitive data. The vulnerability is identified as CWE-918 and has a CVSS 3.1 base score of 6.5 (medium severity). The issue was fixed in php-weasyprint version 2.6.0.
Potential Impact
An attacker with the ability to control the `attachment` option can cause the server to make arbitrary requests to internal or external resources, including local files, potentially exposing sensitive information such as internal HTTP endpoints or cloud metadata. The exfiltrated data is embedded in the generated PDF as an attachment. This can lead to information disclosure without requiring user interaction. The vulnerability does not impact integrity or availability directly.
Mitigation Recommendations
Upgrade php-weasyprint to version 2.6.0 or later, where this SSRF vulnerability is patched. No other official remediation or temporary fixes are documented. If upgrading is not immediately possible, restrict or sanitize inputs controlling the `attachment` option to prevent URLs with unsafe schemes such as file:// or php://. However, the recommended and definitive mitigation is to apply the official patch by upgrading.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.904Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a358c60f198dc38c1f30251
Added to database: 06/19/2026, 18:37:20 UTC
Last enriched: 06/19/2026, 18:51:13 UTC
Last updated: 06/21/2026, 01:06:29 UTC
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.