CVE-2026-49286 is a high-severity insecure deserialization vulnerability in pontedilana/php-weasyprint (composer), affecting versions <= 2.5.1. It is fixed in 2.6.0.
Summary pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist: PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc. bypass the check and reach fileExists() (fileexists()) in prepareOutput(). On PHP 7 (which the library still supports, PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115. The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj). Affected versions pontedilana/php-weasyprint versions <= 2.5.1 (the case-sensitive guard was introduced in commit eb8accc, "Implement countermeasures for CVE-2023-28115"). Patched in: 2.6.0. Privilege required A caller able to control the output filename passed to generate() / generateFromHtml(), plus the ability to place a PHAR archive on the filesystem (e.g. via an upload). Exploitation of the deserialization requires the server to run PHP < 8. Vulnerable code src/AbstractGenerator.php, prepareOutput(): strpos($filename, 'phar://') matches only the exact lowercase string, while the wrapper resolution is case-insensitive, PHAR://payload.phar is not caught. Proof of concept Impact Remote code execution and filesystem access through PHAR metadata deserialization on PHP < 8, when the output filename is attacker-influenced and a PHAR can be planted. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1, High), Critical in deployments running PHP 7 with an upload surface; adjust to your environment. CWE-502 (Deserialization of Untrusted Data). Suggested fix Replace the case-sensitive blacklist with a scheme allow-list (file / no scheme), comparing the lowercased scheme parsed from the filename: prepareOutput() then rejects any non-file scheme (phar, PHAR, php, http, ...) before fileexists() is reached. Credit Original vulnerability and patch-bypass reported upstream to KnpLabs/snappy by Rémi Matasse of Synacktiv (GHSA-92rv-4j2h-8mjj); identified as applicable to pontedilana/php-weasyprint, which mirrors the same code.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-49286 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.6.0). Upgrading removes the vulnerable code path.
composer
pontedilana/php-weasyprint (<= 2.5.1)pontedilana/php-weasyprint → 2.6.0 (composer)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-49286 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-49286 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-49286 in your environment →Upgrade pontedilana/php-weasyprint to 2.6.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-49286 is a high-severity insecure deserialization vulnerability in pontedilana/php-weasyprint (composer), affecting versions <= 2.5.1. It is fixed in 2.6.0. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
CVE-2026-49286 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
pontedilana/php-weasyprint (composer) versions <= 2.5.1 is affected.
Yes. CVE-2026-49286 is fixed in 2.6.0. Upgrade to this version or later.
Whether CVE-2026-49286 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade pontedilana/php-weasyprint to 2.6.0 or later.