PT-2026-42693

Name of the Vulnerable Software and Affected Versions KnpLabs Snappy versions prior to 1.7.1 Description A shell injection issue exists on POSIX systems where the escapeshellarg function returns a string containing single-quote characters. This causes the is executable check to fail, as it search...

Unsafe deserialization in knplabs/knp-snappy

...

CVE-2023-41330 Unsafe deserialization in knplabs/knp-snappy

knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if...

CVE-2023-41330 Unsafe deserialization in knplabs/knp-snappy

knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check if...

CVE-2023-41330

CVE-2023-41330 affects knplabs/knp-snappy (PHP library for thumbnail/snapshot/PDF generation). The issue is a unsafe PHAR deserialization vulnerability related to how output filenames are handled when generateFromHtml() can be controlled and passed to prepareOutput(). Although a patch was added i...

Remote Code Execution (RCE)

knplabs/knp-snappy is vulnerable to Remote Code Execution RCE. The vulnerability is due to the library not checking the file type during upload, which allows an attacker to upload a phar:// file which will be deserialized during the fileexists function because it fails to check the file type,...