CVE-2026-49286 pontedilana CVE debrief

Who should care

Developers and administrators using PhpWeasyPrint, especially those supporting PHP 7.4+, should be aware of this vulnerability. The issue's severity and potential for remote code execution make it a priority for security teams to assess and mitigate.

Technical summary

The vulnerability in PhpWeasyPrint stems from a flawed blacklist that guards output filenames against PHAR stream wrappers. The blacklist is case-sensitive, while PHP stream wrappers are case-insensitive. This discrepancy allows attackers to bypass the blacklist by using different casing (e.g., PHAR:// or Phar://), which can then trigger the deserialization of a crafted PHAR archive's metadata. On PHP 7.4+, this leads to remote code execution. The issue is addressed in PhpWeasyPrint version 2.6.0.

Defensive priority

High priority due to CVSS score of 8.1 and potential for remote code execution

Recommended defensive actions

• Upgrade PhpWeasyPrint to version 2.6.0 or later
• Review and inventory systems using PhpWeasyPrint
• Monitor for suspicious PHAR archive usage
• Implement compensating controls to limit exposure
• Review official advisories for additional mitigation strategies

Evidence notes

The CVE record (cve.org) and NVD detail (nvd.nist.gov) provide official information on CVE-2026-49286. The vulnerability is described as a remote code execution issue due to insecure PHAR deserialization in PhpWeasyPrint versions before 2.6.0. The CVSS score is 8.1, indicating high severity. A patch is available in version 2.6.0, and this issue is a patch-bypass of CVE-2023-28115.

Official resources