HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46643Published Modified CNA GitHub_M

CVE-2026-46643: Snappy: Binary path is never shell-escaped due to an inverted is_executable check

Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg(‘/usr/bin/wkhtmltopdf’) returns the literal string ‘/usr/bin/wkhtmltopdf’ with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. This issue has been patched in version 1.7.1.

Metrics

CVSS v4.0
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication-bypass-level binary path injection vulnerability exists in KnpLabs Snappy, a PHP library for generating thumbnails, snapshots, and PDFs via wkhtmltopdf. Because an inverted is_executable check causes the binary path to be passed to the shell completely unescaped, an attacker who can influence the binary path string (through configuration, environment variables, or request-derived concatenation) can inject arbitrary shell commands. Successful exploitation gives the attacker full control over the host process, including reading, modifying, and crashing the affected service. No fix version has been published upstream; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle the KnpLabs Snappy library at any affected version below 1.7.1. Both direct dependencies and transitive inclusions are covered by the scan pipeline.

Available
Triage

HarborGuard scores this finding at CVSS 7.5 HIGH (v4.0) and weights it against each environment's compliance policy to determine routing priority. Triage tickets are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host, or a code path that passes user-influenced input into the Snappy binary path configuration; no over-the-network vector is required.

  • AuthenticationNot required

    No authentication is required; the vulnerability is reachable by any process or request that can influence the binary path string passed to Snappy.

  • Victim interactionNot required

    No victim interaction is needed; exploitation occurs automatically when the vulnerable code path executes with attacker-controlled input.

  • Attack complexityDetail

    Attack complexity is low for the injection itself, but the AT:P token indicates a specific target condition must exist (user-influenced binary path configuration or environment variable sourcing), making opportunistic mass exploitation less reliable.

Blast Radius

  • Attacker executes arbitrary shell commands under the web server or PHP process user account, gaining full control of that process.
  • Attacker reads files accessible to the process, including application secrets, session tokens, database credentials, and environment variables.
  • Attacker modifies or deletes files writable by the process, including application code, configuration, and stored data.
  • Attacker crashes or destabilizes the PDF generation service, causing denial of functionality for dependent application features.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against all scanned images containing KnpLabs Snappy below version 1.7.1, with findings surfaced in the dashboard and routed per each environment's compliance policy. Because no upstream fix has shipped, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment version 1.7.1 or a subsequent fix is published upstream. For customers with auto-remediation enabled, that rebuild will include a regression-test run and a PR opened against affected workloads with no manual intervention required. In the interim, compensating controls available to consider include restricting the Snappy binary path to a hardcoded, non-configurable value in application code, applying network-policy isolation to containers running Snappy to limit lateral movement if exploitation occurs, and auditing any code path where the binary path is sourced from environment variables or request-derived configuration to confirm no user-controlled fragment can reach it.

See how HarborGuard automates this
Affected packages
  • KnpLabs / snappy
    < 1.7.1
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References