Security Advisory - Published 2026-06-20 - PHP Library
PhpWeasyPrint CVEs: check PDF generation routes and output folders
CVE-2026-49260 and CVE-2026-49286 affect PHP applications that use pontedilana/php-weasyprint for PDF generation. The first check is simple: find the Composer version actually deployed, then review routes that accept user input before generating PDFs.
Affected library versions
| CVE | Affected | Review | CVSS |
|---|---|---|---|
| CVE-2026-49260 | before 2.5.1 | composer.lock, PDF generation jobs, and web-server logs | 8.2 |
| CVE-2026-49286 | before 2.6.0 | composer.lock, PDF output folders, and generated files | 8.1 |
Owner self-check
composer show pontedilana/php-weasyprint 2>/dev/null
grep -Rni 'php-weasyprint\\|WeasyPrint\\|snappy\\|pdf' composer.json composer.lock app src routes config 2>/dev/null
find storage public var tmp -type f -mtime -10 2>/dev/null | egrep '\\.pdf$|\\.html$|\\.php$|\\.phtml$|\\.log$'
grep -Rni 'pdf\\|weasy\\|wkhtml\\|error' storage/logs var/log logs 2>/dev/nullWhat to review
- Routes that generate PDFs from user-provided URLs, HTML, filenames, templates, invoices, or reports.
- Output directories where generated PDFs are written, especially if files appeared during the alert window.
- Queue workers, cron jobs, and background jobs that run PDF generation outside the web request.
- Composer lock files in the deployed artifact, not only the development branch.
Safe fix path
- Upgrade pontedilana/php-weasyprint to the fixed release for both advisories.
- Redeploy and restart PHP workers, queues, and cron jobs that load the old dependency.
- Restrict PDF generation inputs to expected templates and trusted files.
- Rotate credentials if logs show unexpected file writes or PDF jobs outside normal user activity.
Repair help
Use Ping7 CVE Repair when PDF generation is public, jobs ran during the exposure window, or output folders contain files that are hard to explain.