Snappy
by Knplabs
Source repositories
CVEs (2)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46643 | hig | 0.45 | — | — | May 21, 2026 | ### Impact On POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. #### Proof of concept: ```php $pdf = new Knp\Snappy\Pdf(‘wkhtmltopdf; touch /tmp/snappy_rce’); $pdf->generate(‘https://example.com’, ‘/tmp/out.pdf’); // /tmp/snappy_rce is created. ``` **Impact:** command execution as the PHP process when the binary path is attacker-influenced. Even in deployments where the binary is hard-coded, this is a defensive-in-depth regression: downstream packages reasonably assume Snappy shell-escapes the binary because the code looks like it does. ### Patches The version 1.7.1 will resolve this security advisory. ### Workarounds Before calling the constructor, ensure `\is_executable($path)` is truthy. ```php // Bad example $pdf = new Knp\Snappy\Pdf('/path/to/binary'); ``` ```php // Better example $pathToBinary = '/path/to/binary'; if (!\is_executable($pathToBinary)) { throw new \RuntimeException(); } $pdf = new Knp\Snappy\Pdf('/path/to/binary'); ``` | ||
| CVE-2026-46683 | 0.00 | — | — | May 21, 2026 | ### Impact It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ; It could happens with this kind of workflows: ```php $stylesheet = $_GET['stylesheet']; // = ‘file:///etc/passwd’ $pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’); $pdf->generate(‘page.html’, ‘out.pdf’, [ ‘xsl-style-sheet’ => $stylesheet ]); ``` ### Patches A list a schema with `http` and `https` by default is used to validate the remote path by default. ### Workarounds Developers should ensure usage cannot allow (in any case) a user to pass a free input directly to the Snappy library. ```php // Bad example $pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’); $pdf->generate(‘page.html’, ‘out.pdf’, [ ‘xsl-style-sheet’ => $_GET['input'], ]); ``` Instead developers can list available available stylesheets and pick the right one with the user input. ```php // Better $allowedStylesheets = [ 'invoice' => '/app/xsl/invoice.xsl', 'report' => '/app/xsl/report.xsl', ]; $key = $_GET['stylesheet'] ?? ''; if (!array_key_exists($key, $allowedStylesheets)) { throw new \RuntimeException('Unknown stylesheet.'); } $pdf = new Knp\Snappy\Pdf('/usr/local/bin/wkhtmltopdf'); $pdf->generate('page.html', 'out.pdf', [ 'xsl-style-sheet' => $allowedStylesheets[$key], ]); ``` ### References Read more about SSRF at [owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) |
- risk 0.45cvss —epss —
### Impact On POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. #### Proof of concept: ```php $pdf = new Knp\Snappy\Pdf(‘wkhtmltopdf; touch /tmp/snappy_rce’); $pdf->generate(‘https://example.com’, ‘/tmp/out.pdf’); // /tmp/snappy_rce is created. ``` **Impact:** command execution as the PHP process when the binary path is attacker-influenced. Even in deployments where the binary is hard-coded, this is a defensive-in-depth regression: downstream packages reasonably assume Snappy shell-escapes the binary because the code looks like it does. ### Patches The version 1.7.1 will resolve this security advisory. ### Workarounds Before calling the constructor, ensure `\is_executable($path)` is truthy. ```php // Bad example $pdf = new Knp\Snappy\Pdf('/path/to/binary'); ``` ```php // Better example $pathToBinary = '/path/to/binary'; if (!\is_executable($pathToBinary)) { throw new \RuntimeException(); } $pdf = new Knp\Snappy\Pdf('/path/to/binary'); ```
- CVE-2026-46683May 21, 2026risk 0.00cvss —epss —
### Impact It impacts applications where: - the PHP daemon run with root permissions ; - the application is either running outside a container or has sensitive file access ; It could happens with this kind of workflows: ```php $stylesheet = $_GET['stylesheet']; // = ‘file:///etc/passwd’ $pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’); $pdf->generate(‘page.html’, ‘out.pdf’, [ ‘xsl-style-sheet’ => $stylesheet ]); ``` ### Patches A list a schema with `http` and `https` by default is used to validate the remote path by default. ### Workarounds Developers should ensure usage cannot allow (in any case) a user to pass a free input directly to the Snappy library. ```php // Bad example $pdf = new Knp\Snappy\Pdf(‘/usr/local/bin/wkhtmltopdf’); $pdf->generate(‘page.html’, ‘out.pdf’, [ ‘xsl-style-sheet’ => $_GET['input'], ]); ``` Instead developers can list available available stylesheets and pick the right one with the user input. ```php // Better $allowedStylesheets = [ 'invoice' => '/app/xsl/invoice.xsl', 'report' => '/app/xsl/report.xsl', ]; $key = $_GET['stylesheet'] ?? ''; if (!array_key_exists($key, $allowedStylesheets)) { throw new \RuntimeException('Unknown stylesheet.'); } $pdf = new Knp\Snappy\Pdf('/usr/local/bin/wkhtmltopdf'); $pdf->generate('page.html', 'out.pdf', [ 'xsl-style-sheet' => $allowedStylesheets[$key], ]); ``` ### References Read more about SSRF at [owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)