KnpSnappyBundle, SSRF and Local File Read, CVE-2026-46683 (Moderate)

Listen to this Post

The vulnerability arises when developers pass unsanitized user input into the `xsl-style-sheet` option of the `Knp\Snappy\Pdf` generator. The library uses wkhtmltopdf, which supports both remote (HTTP/HTTPS) and local (file://) resources. If an attacker supplies a path like file:///etc/passwd, the library will read and embed that local file into the generated PDF. This can expose sensitive system files. The attack works because wkhtmltopdf does not restrict the protocol used for the XSL stylesheet. The issue is classified as moderate severity because it requires the PHP process to have read access to the target file, and typical deployments inside containers may limit exposure.

dailycve form:

Platform: PHP
Version: <4.1.4
Vulnerability: SSRF/Local read
Severity: Moderate
date: 2026-05-15

Prediction: Patch available

What Undercode Say:

The `file://` protocol in XSL stylesheet options is dangerous. Below is a simple test to verify if your system is vulnerable.

Test for local file inclusion via SSRF
curl -X POST http://vulnerable-app.local/generate-pdf \
-d "stylesheet=file:///etc/passwd"

Exploit:

An attacker can craft a request like:

$stylesheet = $_GET['stylesheet']; // = 'file:///etc/passwd'
$pdf->generate('page.html', 'out.pdf', ['xsl-style-sheet' => $stylesheet]);

This will embed `/etc/passwd` into `out.pdf`.

Protection from this CVE:

Always restrict allowed stylesheets to a safe list.

$allowed = ['invoice.xsl', 'report.xsl'];
if (!in_array($_GET['stylesheet'], $allowed)) {
throw new RuntimeException('Invalid stylesheet.');
}

Also use `escapeshellarg` on any binary paths.

Impact:

  • Read arbitrary local files
  • Server-side request forgery (SSRF)
  • Exposure of secrets and configuration files

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top