{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-46643/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["knp-snappy (\u003c= 1.7.0)"],"_cs_severities":["high"],"_cs_tags":["command-injection","php","knp-snappy","CVE-2026-46643"],"_cs_type":"advisory","_cs_vendors":["KnpLabs"],"content_html":"\u003cp\u003eThe KnpLabs knp-snappy library, a PHP wrapper for the \u003ccode\u003ewkhtmltopdf\u003c/code\u003e and \u003ccode\u003ewkhtmltoimage\u003c/code\u003e utilities, is susceptible to a command injection vulnerability (CVE-2026-46643) in versions 1.7.0 and earlier. The vulnerability arises from an incorrect implementation of input sanitization, specifically, an inverted \u003ccode\u003eis_executable\u003c/code\u003e check that causes the binary path to bypass shell escaping. This flaw can be exploited when the binary path is derived from user-influenced configuration, environment variables originating from request data, or concatenated with user-controlled fragments. An attacker can inject arbitrary commands into the binary path, leading to command execution on the server. This is a regression, since downstream packages reasonably assume Snappy shell-escapes the binary. The vulnerability was patched in version 1.7.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a web application utilizing the vulnerable knp-snappy library (version 1.7.0 or earlier) to generate PDFs.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the path to the \u003ccode\u003ewkhtmltopdf\u003c/code\u003e binary is configurable via a user-controlled source (e.g., a configuration file or environment variable).\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious command into the binary path. For example, setting the binary path to \u003ccode\u003ewkhtmltopdf; touch /tmp/snappy_rce\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe web application uses the knp-snappy library to generate a PDF, passing the attacker-controlled binary path to the \u003ccode\u003eKnp\\Snappy\\Pdf\u003c/code\u003e constructor.\u003c/li\u003e\n\u003cli\u003eDue to the flawed \u003ccode\u003eis_executable\u003c/code\u003e check, the binary path is not properly shell-escaped.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewkhtmltopdf\u003c/code\u003e utility is invoked with the injected command.\u003c/li\u003e\n\u003cli\u003eThe injected command is executed on the server with the privileges of the PHP process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution, potentially leading to further compromise of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the server hosting the vulnerable web application. The impact ranges from reading sensitive files and modifying application data to full system compromise, depending on the permissions of the PHP process. This vulnerability affects applications that rely on knp-snappy for PDF generation and where the binary path is sourced from a user-influenced location. Even if the binary path is hardcoded, this is a defensive-in-depth regression.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to knp-snappy version 1.7.1 or later to patch CVE-2026-46643.\u003c/li\u003e\n\u003cli\u003eAs a workaround, implement a check using \u003ccode\u003e\\is_executable($path)\u003c/code\u003e before calling the \u003ccode\u003eKnp\\Snappy\\Pdf\u003c/code\u003e constructor to ensure the binary path is valid.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect knp-snappy Command Injection Attempt\u0026rdquo; to identify attempts to exploit this vulnerability by detecting shell metacharacters in process command lines.\u003c/li\u003e\n\u003cli\u003eReview all instances where the \u003ccode\u003ewkhtmltopdf\u003c/code\u003e binary path is configured and ensure that user input is properly validated and sanitized to prevent command injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:23:10Z","date_published":"2026-05-21T20:23:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-snappy-command-injection/","summary":"KnpLabs knp-snappy versions 1.7.0 and earlier are vulnerable to command injection (CVE-2026-46643) due to an inverted is_executable check, which prevents proper shell escaping of the binary path, potentially leading to command execution if the binary path is attacker-influenced.","title":"KnpLabs knp-snappy Command Injection Vulnerability (CVE-2026-46643)","url":"https://feed.craftedsignal.io/briefs/2026-05-snappy-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-46643","version":"https://jsonfeed.org/version/1.1"}