Detections
Analytics

SCA: security update for pontedilana/php-weasyprint (GHSA-5g9f-cwwg-4p8g)

low Tenable Self-Hosted Container Security Plugin ID 444051

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0,
 `AbstractGenerator::$temporaryFiles` is a public array, and `removeTemporaryFiles()` — invoked from
 `__destruct()` and from a registered shutdown function — calls `unlink()` on every entry without verifying
 that the path is contained within the temporary folder. Any code holding a reference to a generator
 instance can push an arbitrary path into the array and have it deleted on script shutdown. This mirrors
 the KnpLabs/snappy issue GHSA-87qc-37cw-84h4. PhpWeasyPrint version 2.6.0 contains a patch for the issue.
 (CVE-2026-49358)

Solution

Update the pontedilana/php-weasyprint library and its related packages to version 2.6.0 or later.

See Also

https://github.com/advisories/GHSA-5g9f-cwwg-4p8g

Plugin Details

Severity: Low

ID: 444051

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/27/2026

Updated: 6/29/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.0

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.3

Temporal Score: 1.7

Vector: CVSS2#AV:L/AC:H/Au:M/C:N/I:P/A:P

CVSS Score Source: CVE-2026-49358

CVSS v3

Risk Factor: Low

Base Score: 3

Temporal Score: 2.6

Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 6/19/2026

Reference Information

CVE: CVE-2026-49358

cwe: CWE-73