CVE-2026-49260 pontedilana CVE debrief

Who should care

Developers and administrators using PhpWeasyPrint, especially those whose binary path configurations are derived from user-input sources such as configuration files, environment variables, or per-tenant settings, should be aware of this vulnerability. Given the high CVSS score of 8.2, immediate attention is advised to limit exposure to potential shell command injection attacks.

Technical summary

The vulnerability in PhpWeasyPrint arises from its use of `escapeshellarg()` followed by `is_executable()` checks. On POSIX systems, this results in `is_executable()` searching for a file with single-quote characters as part of its name, which never exists, making the 'safe' branch dead code. Consequently, the raw binary path string flows directly into `Symfony.Component.Process.Process::fromShellCommandline()`, leading to a shell-command-injection vulnerability. This issue was patched in PhpWeasyPrint version 2.5.1.

Defensive priority

High priority due to CVSS score of 8.2 and potential for shell command injection

Recommended defensive actions

• Update PhpWeasyPrint to version 2.5.1 or later
• Review and validate binary path configurations
• Limit exposure by restricting configuration and environment variable inputs
• Monitor for suspicious activity related to PDF generation
• Implement compensating controls to detect and prevent shell command injection

Evidence notes

The vulnerability is documented in the CVE record and NVD detail pages. PhpWeasyPrint's patch release (version 2.5.1) and related references provide further evidence and mitigation steps. The issue's basis lies in the library's interaction with shell commands, specifically how it handles binary paths.

Official resources