CVE-2022-28368

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).

CVE-2021-3838

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and insta...

CVE-2014-5013

DOMPDF before 0.6.2 allows remote code execution, a related issue to CVE-2014-2383.

CVE-2014-5011

DOMPDF before 0.6.2 allows Information Disclosure.

CVE-2022-0085

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

CVE-2022-41343

registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.

CVE-2014-5012

DOMPDF before 0.6.2 allows denial of service.

CVE-2022-2400

External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.

CVE-2021-3902

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to f...