Snappy : SSRF and local file read via the xsl-style-sheet option
Description
Impact
It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ;
It could happens with this kind of workflows:
$stylesheet = $_GET['stylesheet']; // = ‘file:///etc/passwd’
$pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’);
$pdf->generate(‘page.html’, ‘out.pdf’, [
‘xsl-style-sheet’ => $stylesheet
]);
Patches
A list a schema with http and https by default is used to validate the remote path by default.
Workarounds
Developers should ensure usage cannot allow (in any case) a user to pass a free input directly to the Snappy library.
// Bad example
$pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’);
$pdf->generate(‘page.html’, ‘out.pdf’, [
‘xsl-style-sheet’ => $_GET['input'],
]);
Instead developers can list available available stylesheets and pick the right one with the user input.
// Better
$allowedStylesheets = [
'invoice' => '/app/xsl/invoice.xsl',
'report' => '/app/xsl/report.xsl',
];
$key = $_GET['stylesheet'] ?? '';
if (!array_key_exists($key, $allowedStylesheets)) {
throw new \RuntimeException('Unknown stylesheet.');
}
$pdf = new Knp\Snappy\Pdf('/usr/local/bin/wkhtmltopdf');
$pdf->generate('page.html', 'out.pdf', [
'xsl-style-sheet' => $allowedStylesheets[$key],
]);
References
Read more about SSRF at owasp.org/www-community/attacks/Server_Side_Request_Forgery
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-46683 is a server-side request forgery (SSRF) vulnerability in Knp Snappy PHP library, allowing local file read via unvalidated xsl-style-sheet option.
What the vulnerability is
CVE-2026-46683 is a high-severity SSRF and local file read vulnerability discovered in the Knp Snappy PHP library (knplabs/knp-snappy) up to version 1.6.0 [1]. The root cause is that the xsl-style-sheet option passed to WkHtmlToPdf/wkhtmltoimage does not validate the URI scheme, allowing attackers to supply arbitrary file paths or URLs [2].
How it's exploited
An attacker can exploit this by providing a malicious input to any application parameter that is passed unsanitized to the xsl-style-sheet option of the generate() method [1]. The attack requires the PHP daemon to run with root privileges, or the application to have access to sensitive files. A typical attack scenario uses a file:// URI, e.g., file:///etc/passwd to read local files [2].
Impact
Successful exploitation leads to server-side request forgery (SSRF) and local file disclosure [1]. An attacker could read arbitrary files on the server, including sensitive configuration files, password hashes, or application secrets, depending on the permissions of the PHP process [2].
Mitigation
The issue is patched in the latest versions by defaulting to an allowlist of http and https schemas for remote paths [1]. As a workaround, developers must never pass unsanitized user input to the library; instead, they should implement a mapping of allowed stylesheet keys to fixed paths [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
2- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft tests modern Windows Run, says it's faster than legacy dialogBleepingComputer · May 2, 2026