This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.
https://snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-1037064
https://github.com/spatie/browsershot/issues/441%23issue-735049731