CVE-2026-46643 KnpLabs CVE debrief

Who should care

Users of the Snappy PHP library, especially those who generate thumbnails, snapshots, or PDFs from user-provided URLs or HTML pages, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability occurs due to improper handling of the binary path in the Snappy library. Specifically, the `escapeshellarg` function returns a literal string with single-quote characters included, which are not properly handled by the `is_executable` function. This allows for command injection when the binary path is sourced from user-influenced configuration, environment variables, or concatenated with user-controlled fragments.

Defensive priority

HIGH

Recommended defensive actions

• Update the Snappy library to version 1.7.1 or later.
• Review and validate the binary path configuration to ensure it is not user-influenced.
• Use secure environment variables and avoid concatenating user-controlled fragments with the binary path.

Evidence notes

The vulnerability has been patched in version 1.7.1 of the Snappy library. Users can refer to the [patch release](ref-4) and [security advisory](ref-5) for more information.

Official resources