HIGH8.2CVE-2026-49260php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
from 0, < 2.5.1
HIGH8.1CVE-2026-49286PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
from 0, < 2.6.0
MEDIUM6.5CVE-2026-49359PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option
from 0, < 2.6.0
LOW3.0PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles