CVE-2026-46683

Name of the Vulnerable Software and Affected Versions KnpSnappyBundle (affected versions not specified)

Description An issue exists that allows Server-Side Request Forgery (SSRF) and local file read. This occurs when applications allow user-supplied input to be passed directly to the Snappy library, specifically through the xsl-style-sheet parameter. The impact is most severe when the PHP daemon runs with root permissions and the application is running outside a container or has access to sensitive files.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Ensure that user input is not passed directly to the Snappy library. Instead, implement a whitelist of allowed stylesheets and select the appropriate one based on user input. Restrict the use of the xsl-style-sheet parameter to prevent unauthorized file access or remote requests.