CVE-2026-49359 pontedilana CVE debrief

Who should care

Developers and administrators using PhpWeasyPrint library versions prior to 2.6.0 should be concerned, as an attacker could exploit this vulnerability to access internal HTTP endpoints, cloud metadata, or local files, leading to potential data exfiltration.

Technical summary

The PhpWeasyPrint library, used for generating PDFs from URLs or HTML pages, is vulnerable to Server-Side Request Forgery (SSRF) and local file disclosure. The `attachment` option of the `Pdf` class is a reachable sink, allowing any value that passes `isOptionUrl()` to be downloaded and embedded into the generated PDF. This issue arises because `FILTER_VALIDATE_URL` accepts various URL schemes, including `http`, `https`, `ftp`, `file`, and PHP stream wrappers like `php://`. An attacker can influence the `attachment` value to access internal resources or local files, with the fetched bytes exfiltrated as a PDF attachment.

Defensive priority

Upgrade to PhpWeasyPrint version 2.6.0 or later to patch the vulnerability. Implement input validation and sanitization for the `attachment` option to restrict URL schemes. Monitor for suspicious PDF generation activity.

Recommended defensive actions

• Upgrade to PhpWeasyPrint version 2.6.0 or later
• Implement input validation and sanitization for the `attachment` option
• Monitor for suspicious PDF generation activity
• Review and restrict URL schemes allowed by `FILTER_VALIDATE_URL`
• Conduct regular security audits and vulnerability assessments

Evidence notes

The CVE-2026-49359 vulnerability is documented in the official CVE record (cve.org) and NVD detail (nvd.nist.gov). The PhpWeasyPrint library's GitHub repository provides additional information on the patch (github.com/pontedilana/php-weasyprint).

Official resources