VYPR

Browsershot

by Spatie

Source repositories

CVEs (6)

  • CVE-2025-3192HigApr 4, 2025
    risk 0.53cvss 8.2epss 0.00

    Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories.

  • CVE-2025-1026HigFeb 5, 2025
    risk 0.49cvss 8.6epss 0.01

    Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a bypass of…

  • CVE-2024-21549HigDec 20, 2024
    risk 0.49cvss 8.6epss 0.01

    Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a…

  • CVE-2024-21544HigDec 13, 2024
    risk 0.49cvss 8.6epss 0.01

    Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local…

  • CVE-2025-1022HigFeb 5, 2025
    risk 0.46cvss 8.2epss 0.00

    Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing…

  • CVE-2024-21547HigDec 18, 2024
    risk 0.42cvss 7.5epss 0.01

    Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\. An attacker could read any file on the server by exploiting the normalization of \ into /.