CVE-2026-49358 pontedilana CVE debrief

Who should care

Developers and administrators using PhpWeasyPrint, especially those generating PDFs from untrusted sources, should be aware of this vulnerability. The ability to delete arbitrary files could lead to data loss or system compromise. Reviewing and updating PhpWeasyPrint to version 2.6.0 or later is recommended.

Technical summary

The vulnerability in PhpWeasyPrint arises from the public `AbstractGenerator::$temporaryFiles` array, which can be manipulated to delete arbitrary files. The `removeTemporaryFiles()` method, called during script shutdown, unlinks files in this array without path validation. This could allow an attacker to delete files anywhere on the system where the PHP script has write permissions. The vulnerability is patched in PhpWeasyPrint version 2.6.0.

Defensive priority

Low severity, but high priority for systems using PhpWeasyPrint with untrusted input due to potential for data loss.

Recommended defensive actions

• Update PhpWeasyPrint to version 2.6.0 or later
• Review and validate temporary file handling in existing code
• Implement compensating controls to restrict file deletion
• Monitor for suspicious file deletion activity
• Inventory systems using PhpWeasyPrint for immediate patching

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. The PhpWeasyPrint GitHub repository contains the patched version (2.6.0) and additional details. The vulnerability is similar to GHSA-87qc-37cw-84h4 in KnpLabs/snappy.

Official resources