CVE-2026-49359 is a Server-Side Request Forgery (SSRF) vulnerability in the PhpWeasyPrint library, which allows attackers to fetch server-side content via `file_get_contents()` when the value resembles a URL. This issue, patched in version 2.6.0, enables attackers to exfiltrate data as a PDF attachment. Affected systems should prioritize upgrading to version 2.6.0 or later. The vulnerability has a CVSS sc [truncated]
CVE-2026-49286 is a high-severity remote code execution vulnerability in the PhpWeasyPrint library. The issue arises from a case-sensitive blacklist that fails to guard against PHAR stream wrappers, allowing attackers to bypass security checks and execute arbitrary code. This vulnerability affects PhpWeasyPrint versions prior to 2.6.0 and is a patch-bypass of CVE-2023-28115. Defenders should prioritize pa [truncated]
CVE-2026-49260 is a high-severity vulnerability in PhpWeasyPrint, a PHP library used for generating PDFs from URLs or HTML pages. The issue arises from the library's method of constructing shell commands for WeasyPrint, which allows for shell command injection. This vulnerability has a CVSS score of 8.2 and is considered high priority. Affected deployments include those where the binary path is sourced fr [truncated]
CVE-2026-49358 is a vulnerability in PhpWeasyPrint, a PHP library for generating PDFs from URLs or HTML pages. The issue allows for arbitrary file deletion due to insecure handling of temporary files. Specifically, the public array `AbstractGenerator::$temporaryFiles` can be manipulated to delete arbitrary files when `removeTemporaryFiles()` is called. This vulnerability has a CVSS score of 3 and is consi [truncated]
