CVE-2026-46643

Name of the Vulnerable Software and Affected Versions KnpLabs Snappy versions prior to 1.7.1

Description A shell injection issue exists on POSIX systems where the escapeshellarg() function returns a string containing single-quote characters. This causes the is executable() check to fail, as it searches for a file name that includes those quotes. Consequently, the execution flow bypasses the safe branch, allowing the $command variable to retain its raw, unescaped value. This allows for command execution as the PHP process whenever the binary path is influenced by user-controlled configuration, environment variables derived from request data, or concatenated user fragments.

Recommendations Update to version 1.7.1. As a temporary workaround, ensure that is executable($path) is truthy before calling the constructor.