Listen to this Post
The vulnerability arises when developers pass unsanitized user input into the `xsl-style-sheet` option of the `Knp\Snappy\Pdf` generator. The library uses wkhtmltopdf, which supports both remote (HTTP/HTTPS) and local (file://) resources. If an attacker supplies a path like file:///etc/passwd, the library will read and embed that local file into the generated PDF. This can expose sensitive system files. The attack works because wkhtmltopdf does not restrict the protocol used for the XSL stylesheet. The issue is classified as moderate severity because it requires the PHP process to have read access to the target file, and typical deployments inside containers may limit exposure.
dailycve form:
Platform: PHP
Version: <4.1.4
Vulnerability: SSRF/Local read
Severity: Moderate
date: 2026-05-15
Prediction: Patch available
What Undercode Say:
The `file://` protocol in XSL stylesheet options is dangerous. Below is a simple test to verify if your system is vulnerable.
Test for local file inclusion via SSRF curl -X POST http://vulnerable-app.local/generate-pdf \ -d "stylesheet=file:///etc/passwd"
Exploit:
An attacker can craft a request like:
$stylesheet = $_GET['stylesheet']; // = 'file:///etc/passwd'
$pdf->generate('page.html', 'out.pdf', ['xsl-style-sheet' => $stylesheet]);
This will embed `/etc/passwd` into `out.pdf`.
Protection from this CVE:
Always restrict allowed stylesheets to a safe list.
$allowed = ['invoice.xsl', 'report.xsl'];
if (!in_array($_GET['stylesheet'], $allowed)) {
throw new RuntimeException('Invalid stylesheet.');
}
Also use `escapeshellarg` on any binary paths.
Impact:
- Read arbitrary local files
- Server-side request forgery (SSRF)
- Exposure of secrets and configuration files
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

