{"url":"http://public2.vulnerablecode.io/api/packages/51217?format=json","purl":"pkg:composer/dompdf/dompdf@0.6.0","type":"composer","namespace":"dompdf","name":"dompdf","version":"0.6.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42833?format=json","vulnerability_id":"VCID-5m3z-mj34-jfdd","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nDompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).","references":[{"reference_url":"http://packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-28368","reference_id":"","reference_type":"","scores":[{"value":"0.88271","scoring_system":"epss","scoring_elements":"0.99513","published_at":"2026-06-09T12:55:00Z"},{"value":"0.88271","scoring_system":"epss","scoring_elements":"0.99512","published_at":"2026-06-08T12:55:00Z"},{"value":"0.88271","scoring_system":"epss","scoring_elements":"0.9951","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-28368"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d"},{"reference_url":"https://github.com/dompdf/dompdf/issues/2598","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/issues/2598"},{"reference_url":"https://github.com/dompdf/dompdf/pull/2808","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/pull/2808"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-28368.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-28368.yaml"},{"reference_url":"https://github.com/snyk-labs/php-goof","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/snyk-labs/php-goof"},{"reference_url":"https://packagist.org/packages/dompdf/dompdf#v1.2.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/dompdf/dompdf#v1.2.1"},{"reference_url":"https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce"},{"reference_url":"https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/","reference_id":"","reference_type":"","scores":[],"url":"https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/51270.py","reference_id":"CVE-2022-28368","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/51270.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28368","reference_id":"CVE-2022-28368","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28368"},{"reference_url":"https://github.com/advisories/GHSA-x752-qjv4-c4hc","reference_id":"GHSA-x752-qjv4-c4hc","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x752-qjv4-c4hc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61255?format=json","purl":"pkg:composer/dompdf/dompdf@1.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@1.2.1"}],"aliases":["CVE-2022-28368","GHSA-x752-qjv4-c4hc"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5m3z-mj34-jfdd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56203?format=json","vulnerability_id":"VCID-5nst-eff2-afhb","summary":"Deserialization of Untrusted Data in dompdf/dompdf\nDomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3838","reference_id":"","reference_type":"","scores":[{"value":"0.06926","scoring_system":"epss","scoring_elements":"0.91578","published_at":"2026-06-05T12:55:00Z"},{"value":"0.06926","scoring_system":"epss","scoring_elements":"0.91588","published_at":"2026-06-09T12:55:00Z"},{"value":"0.06926","scoring_system":"epss","scoring_elements":"0.9158","published_at":"2026-06-06T12:55:00Z"},{"value":"0.06926","scoring_system":"epss","scoring_elements":"0.91565","published_at":"2026-06-04T12:55:00Z"},{"value":"0.06926","scoring_system":"epss","scoring_elements":"0.91573","published_at":"2026-06-08T12:55:00Z"},{"value":"0.06926","scoring_system":"epss","scoring_elements":"0.91576","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3838"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3838","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3838"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-18T14:40:28Z/"}],"url":"https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a"},{"reference_url":"https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-18T14:40:28Z/"}],"url":"https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3838","reference_id":"CVE-2021-3838","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3838"},{"reference_url":"https://github.com/advisories/GHSA-577p-7j7h-2jgf","reference_id":"GHSA-577p-7j7h-2jgf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-577p-7j7h-2jgf"},{"reference_url":"https://usn.ubuntu.com/6277-1/","reference_id":"USN-6277-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6277-1/"},{"reference_url":"https://usn.ubuntu.com/6277-2/","reference_id":"USN-6277-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6277-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83265?format=json","purl":"pkg:composer/dompdf/dompdf@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@2.0.0"}],"aliases":["CVE-2021-3838","GHSA-577p-7j7h-2jgf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5nst-eff2-afhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37669?format=json","vulnerability_id":"VCID-8dbt-judt-5bhz","summary":"Arbitrary file read\nAn arbitrary file read vulnerability is present on dompdf.php file that allows remote or local attackers to read local files using a special crafted argument. This vulnerability requires the configuration flag DOMPDF_ENABLE_PHP to be enabled (which is disabled by default). Using PHP protocol and wrappers it is possible to bypass the dompdf's \"chroot\" protection (DOMPDF_CHROOT) which prevents dompdf from accessing system files or other files on the webserver. Please note that the flag DOMPDF_ENABLE_REMOTE needs to be enabled.","references":[{"reference_url":"http://cxsecurity.com/issue/WLB-2014040158","reference_id":"","reference_type":"","scores":[],"url":"http://cxsecurity.com/issue/WLB-2014040158"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2383","reference_id":"","reference_type":"","scores":[{"value":"0.5489","scoring_system":"epss","scoring_elements":"0.98086","published_at":"2026-06-09T12:55:00Z"},{"value":"0.5489","scoring_system":"epss","scoring_elements":"0.98087","published_at":"2026-06-08T12:55:00Z"},{"value":"0.5489","scoring_system":"epss","scoring_elements":"0.98089","published_at":"2026-06-06T12:55:00Z"},{"value":"0.5489","scoring_system":"epss","scoring_elements":"0.98088","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-2383"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2383","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2383"},{"reference_url":"http://seclists.org/fulldisclosure/2014/Apr/258","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2014/Apr/258"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-2383.yaml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-2383.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2383","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-2383"},{"reference_url":"https://web.archive.org/web/20151215023329/http://www.securityfocus.com/archive/1/531912/100/0/threaded","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20151215023329/http://www.securityfocus.com/archive/1/531912/100/0/threaded"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745619","reference_id":"745619","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745619"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/33004.txt","reference_id":"CVE-2014-2383;OSVDB-106083","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/33004.txt"},{"reference_url":"https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/","reference_id":"CVE-2014-2383;OSVDB-106083","reference_type":"exploit","scores":[],"url":"https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/"},{"reference_url":"https://github.com/advisories/GHSA-qr6q-w4gj-3865","reference_id":"GHSA-qr6q-w4gj-3865","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qr6q-w4gj-3865"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51218?format=json","purl":"pkg:composer/dompdf/dompdf@0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-bp4u-fm35-fbcu"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-ma8g-am1x-buhw"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-uhqc-bgdm-5bhn"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.6.1"}],"aliases":["CVE-2014-2383","GHSA-qr6q-w4gj-3865"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8dbt-judt-5bhz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97884?format=json","vulnerability_id":"VCID-96zg-zb4z-wufg","summary":"registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41343","reference_id":"","reference_type":"","scores":[{"value":"0.54023","scoring_system":"epss","scoring_elements":"0.98055","published_at":"2026-06-04T12:55:00Z"},{"value":"0.54023","scoring_system":"epss","scoring_elements":"0.98056","published_at":"2026-06-09T12:55:00Z"},{"value":"0.54023","scoring_system":"epss","scoring_elements":"0.98057","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41343"},{"reference_url":"https://github.com/advisories/GHSA-6x28-7h8c-chx4","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6x28-7h8c-chx4"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2"},{"reference_url":"https://github.com/dompdf/dompdf/issues/2994","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-22T14:40:39Z/"}],"url":"https://github.com/dompdf/dompdf/issues/2994"},{"reference_url":"https://github.com/dompdf/dompdf/pull/2995","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-22T14:40:39Z/"}],"url":"https://github.com/dompdf/dompdf/pull/2995"},{"reference_url":"https://github.com/dompdf/dompdf/releases/tag/v2.0.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-22T14:40:39Z/"}],"url":"https://github.com/dompdf/dompdf/releases/tag/v2.0.1"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41343","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41343"},{"reference_url":"https://tantosec.com/blog/cve-2022-41343","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tantosec.com/blog/cve-2022-41343"},{"reference_url":"https://tantosec.com/blog/cve-2022-41343/","reference_id":"CVE-2022-41343","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-22T14:40:39Z/"}],"url":"https://tantosec.com/blog/cve-2022-41343/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63785?format=json","purl":"pkg:composer/dompdf/dompdf@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3184-9che-mbdk"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@2.0.1"}],"aliases":["CVE-2022-41343","GHSA-6x28-7h8c-chx4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-96zg-zb4z-wufg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37964?format=json","vulnerability_id":"VCID-bp4u-fm35-fbcu","summary":"Uncontrolled Resource Consumption\nDenial Of Service attack vector in dompdf.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-5012","reference_id":"","reference_type":"","scores":[{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33326","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33279","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33257","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.3329","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33208","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00136","scoring_system":"epss","scoring_elements":"0.33311","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-5012"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5012","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5012"},{"reference_url":"https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2"},{"reference_url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5012.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5012.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-5012","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-5012"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813849","reference_id":"813849","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813849"},{"reference_url":"https://github.com/advisories/GHSA-q83c-64c9-c42m","reference_id":"GHSA-q83c-64c9-c42m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q83c-64c9-c42m"},{"reference_url":"https://usn.ubuntu.com/6277-1/","reference_id":"USN-6277-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6277-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52433?format=json","purl":"pkg:composer/dompdf/dompdf@0.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/188029?format=json","purl":"pkg:composer/dompdf/dompdf@0.7.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.7.0-beta"}],"aliases":["CVE-2014-5012","GHSA-q83c-64c9-c42m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bp4u-fm35-fbcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56199?format=json","vulnerability_id":"VCID-chrn-tyhj-bqez","summary":"Improper Restriction of XML External Entity Reference in dompdf/dompdf\nAn improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3902","reference_id":"","reference_type":"","scores":[{"value":"0.0509","scoring_system":"epss","scoring_elements":"0.89989","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0509","scoring_system":"epss","scoring_elements":"0.89992","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0509","scoring_system":"epss","scoring_elements":"0.90003","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0509","scoring_system":"epss","scoring_elements":"0.89977","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0509","scoring_system":"epss","scoring_elements":"0.89988","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3902"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-18T14:34:31Z/"}],"url":"https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799"},{"reference_url":"https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-18T14:34:31Z/"}],"url":"https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3902","reference_id":"CVE-2021-3902","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3902"},{"reference_url":"https://github.com/advisories/GHSA-3vjh-xrhf-v9xh","reference_id":"GHSA-3vjh-xrhf-v9xh","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3vjh-xrhf-v9xh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83265?format=json","purl":"pkg:composer/dompdf/dompdf@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@2.0.0"}],"aliases":["CVE-2021-3902","GHSA-3vjh-xrhf-v9xh"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-chrn-tyhj-bqez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97882?format=json","vulnerability_id":"VCID-hyv8-4aty-7yhh","summary":"Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0085","reference_id":"","reference_type":"","scores":[{"value":"0.00437","scoring_system":"epss","scoring_elements":"0.6339","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00437","scoring_system":"epss","scoring_elements":"0.63438","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00437","scoring_system":"epss","scoring_elements":"0.63421","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00437","scoring_system":"epss","scoring_elements":"0.63433","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00437","scoring_system":"epss","scoring_elements":"0.63442","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00437","scoring_system":"epss","scoring_elements":"0.63434","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-0085"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-0085.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-0085.yaml"},{"reference_url":"https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0085","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0085"},{"reference_url":"https://github.com/advisories/GHSA-pf6p-25r2-fx45","reference_id":"GHSA-pf6p-25r2-fx45","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pf6p-25r2-fx45"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83265?format=json","purl":"pkg:composer/dompdf/dompdf@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@2.0.0"}],"aliases":["CVE-2022-0085","GHSA-pf6p-25r2-fx45"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hyv8-4aty-7yhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37962?format=json","vulnerability_id":"VCID-ma8g-am1x-buhw","summary":"Code Injection\nDompdf contains a Remote Code Execution vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-5013","reference_id":"","reference_type":"","scores":[{"value":"0.25607","scoring_system":"epss","scoring_elements":"0.96346","published_at":"2026-06-08T12:55:00Z"},{"value":"0.25607","scoring_system":"epss","scoring_elements":"0.96352","published_at":"2026-06-09T12:55:00Z"},{"value":"0.25607","scoring_system":"epss","scoring_elements":"0.96338","published_at":"2026-06-04T12:55:00Z"},{"value":"0.25607","scoring_system":"epss","scoring_elements":"0.96342","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-5013"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5013","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5013"},{"reference_url":"https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2"},{"reference_url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5013.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5013.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-5013","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-5013"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813849","reference_id":"813849","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813849"},{"reference_url":"https://github.com/advisories/GHSA-jjwj-w3gc-gcw4","reference_id":"GHSA-jjwj-w3gc-gcw4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjwj-w3gc-gcw4"},{"reference_url":"https://usn.ubuntu.com/6277-1/","reference_id":"USN-6277-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6277-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52433?format=json","purl":"pkg:composer/dompdf/dompdf@0.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/188029?format=json","purl":"pkg:composer/dompdf/dompdf@0.7.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.7.0-beta"}],"aliases":["CVE-2014-5013","GHSA-jjwj-w3gc-gcw4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ma8g-am1x-buhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97883?format=json","vulnerability_id":"VCID-rpsw-n9zw-3be4","summary":"External Control of File Name or Path in GitHub repository dompdf/dompdf prior to 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2400","reference_id":"","reference_type":"","scores":[{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.54131","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.54184","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.54162","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.54185","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.54195","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00306","scoring_system":"epss","scoring_elements":"0.54187","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-2400"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2400","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2400"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a"},{"reference_url":"https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00017.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2400","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2400"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015874","reference_id":"1015874","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015874"},{"reference_url":"https://github.com/advisories/GHSA-5qj8-6xxj-hp9h","reference_id":"GHSA-5qj8-6xxj-hp9h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5qj8-6xxj-hp9h"},{"reference_url":"https://usn.ubuntu.com/6277-1/","reference_id":"USN-6277-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6277-1/"},{"reference_url":"https://usn.ubuntu.com/6277-2/","reference_id":"USN-6277-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6277-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83265?format=json","purl":"pkg:composer/dompdf/dompdf@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@2.0.0"}],"aliases":["CVE-2022-2400","GHSA-5qj8-6xxj-hp9h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rpsw-n9zw-3be4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46651?format=json","vulnerability_id":"VCID-tab5-7rre-b3hs","summary":"Uncontrolled Recursion\nDompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.\n\nphp-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images.\n\nWhen Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.\n\nVersion 2.0.4 contains a fix for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50262","reference_id":"","reference_type":"","scores":[{"value":"0.06147","scoring_system":"epss","scoring_elements":"0.90981","published_at":"2026-06-07T12:55:00Z"},{"value":"0.06147","scoring_system":"epss","scoring_elements":"0.90995","published_at":"2026-06-09T12:55:00Z"},{"value":"0.06147","scoring_system":"epss","scoring_elements":"0.90978","published_at":"2026-06-08T12:55:00Z"},{"value":"0.06147","scoring_system":"epss","scoring_elements":"0.90984","published_at":"2026-06-06T12:55:00Z"},{"value":"0.06147","scoring_system":"epss","scoring_elements":"0.90985","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-50262"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153"},{"reference_url":"https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/41cbac16f3cf56affa49f06e8dae66d0eac2b593"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-50262.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-50262.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058793","reference_id":"1058793","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058793"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50262","reference_id":"CVE-2023-50262","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50262"},{"reference_url":"https://github.com/advisories/GHSA-3qx2-6f78-w2j2","reference_id":"GHSA-3qx2-6f78-w2j2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3qx2-6f78-w2j2"},{"reference_url":"https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2","reference_id":"GHSA-3qx2-6f78-w2j2","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/security/advisories/GHSA-3qx2-6f78-w2j2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68178?format=json","purl":"pkg:composer/dompdf/dompdf@2.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@2.0.4"}],"aliases":["CVE-2023-50262","GHSA-3qx2-6f78-w2j2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tab5-7rre-b3hs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37965?format=json","vulnerability_id":"VCID-uhqc-bgdm-5bhn","summary":"Information Disclosure in dompdf.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-5011","reference_id":"","reference_type":"","scores":[{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.39872","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.39921","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.39905","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.39932","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.3996","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.39957","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-5011"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5011","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5011"},{"reference_url":"https://github.com/dompdf/dompdf/commit/cc06008f75262510ee135b8cbb14e333a309f651","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/cc06008f75262510ee135b8cbb14e333a309f651"},{"reference_url":"https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2"},{"reference_url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5011.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5011.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-5011","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-5011"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813849","reference_id":"813849","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813849"},{"reference_url":"https://github.com/advisories/GHSA-jwf8-mjj8-r8hq","reference_id":"GHSA-jwf8-mjj8-r8hq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jwf8-mjj8-r8hq"},{"reference_url":"https://usn.ubuntu.com/6277-1/","reference_id":"USN-6277-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6277-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52433?format=json","purl":"pkg:composer/dompdf/dompdf@0.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.6.2"},{"url":"http://public2.vulnerablecode.io/api/packages/188029?format=json","purl":"pkg:composer/dompdf/dompdf@0.7.0-beta","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.7.0-beta"}],"aliases":["CVE-2014-5011","GHSA-jwf8-mjj8-r8hq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uhqc-bgdm-5bhn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47099?format=json","vulnerability_id":"VCID-vwkz-8yc4-jbeu","summary":"Dompdf's usage of vulnerable version of phenx/php-svg-lib leads to restriction bypass and potential RCE\n### Summary\nA lack of sanitization/check in the font path returned by php-svg-lib, in the case of a inline CSS font defined, that will be used by Cpdf to open a font will be passed to a `file_exists` call, which is sufficient to trigger metadata unserializing on a PHAR file, through the phar:// URL handler on PHP < 8.0. On other versions, it might be used as a way to get a SSRF through, for example, ftp, not restricted by authorized protocols configured on dompdf.\n\n### Details\nThe problem lies on the `openFont` function of the `lib/Cpdf.php` library, when the `$font` variable passed by php-svg-lib isn't checked correctly. A path is crafted through $name and $dir, which are two values that can be controlled through CSS : \n\n```\n$name = basename($font);\n$dir = dirname($font);\n[...]\n$metrics_name = \"$name.ufm\";\n[...]\n\nif (!isset($this->fonts[$font]) && file_exists(\"$dir/$metrics_name\")) {\n```\n\nPassing a font named `phar:///foo/bar/baz.phar/test` will set the value of $name to `test` and $dir to `phar:///foo/bar/baz.phar`, which once reconstructed will call file_exists on `phar:///foo/bar/baz.phar/test.ufm`. That allows to deserialize the `baz.phar` arbitrary file that contains a `test.ufm` file in the archive.","references":[{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa"},{"reference_url":"https://github.com/advisories/GHSA-97m3-52wr-xvv2","reference_id":"GHSA-97m3-52wr-xvv2","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-97m3-52wr-xvv2"},{"reference_url":"https://github.com/dompdf/dompdf/security/advisories/GHSA-97m3-52wr-xvv2","reference_id":"GHSA-97m3-52wr-xvv2","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/security/advisories/GHSA-97m3-52wr-xvv2"},{"reference_url":"https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273","reference_id":"GHSA-f3qr-qr4x-j273","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273"}],"fixed_packages":[],"aliases":["GHSA-97m3-52wr-xvv2","GMS-2024-338","GMS-2024-341"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vwkz-8yc4-jbeu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37418?format=json","vulnerability_id":"VCID-wf5y-5br8-pyeb","summary":"Code Injection\nPHP remote file inclusion vulnerability in dompdf.php in dompdf allows remote attackers to execute arbitrary PHP code via a URL in the `input_file` parameter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-4879","reference_id":"","reference_type":"","scores":[{"value":"0.01114","scoring_system":"epss","scoring_elements":"0.7855","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01114","scoring_system":"epss","scoring_elements":"0.7852","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01114","scoring_system":"epss","scoring_elements":"0.78546","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01114","scoring_system":"epss","scoring_elements":"0.78554","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01114","scoring_system":"epss","scoring_elements":"0.78544","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01114","scoring_system":"epss","scoring_elements":"0.78532","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-4879"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4879","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4879"},{"reference_url":"https://github.com/dompdf/dompdf","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf"},{"reference_url":"https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028"},{"reference_url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/releases/tag/v0.6.2"},{"reference_url":"https://github.com/dompdf/dompdf/wiki/Securing-dompdf","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/dompdf/dompdf/wiki/Securing-dompdf"},{"reference_url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2010-4879.yaml","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2010-4879.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2010-4879","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2010-4879"},{"reference_url":"http://www.exploit-db.com/exploits/14851","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.exploit-db.com/exploits/14851"},{"reference_url":"https://github.com/advisories/GHSA-48r9-4v93-x4wh","reference_id":"GHSA-48r9-4v93-x4wh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-48r9-4v93-x4wh"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/14851.txt","reference_id":"OSVDB-56579;CVE-2010-4879","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/14851.txt"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51218?format=json","purl":"pkg:composer/dompdf/dompdf@0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5m3z-mj34-jfdd"},{"vulnerability":"VCID-5nst-eff2-afhb"},{"vulnerability":"VCID-96zg-zb4z-wufg"},{"vulnerability":"VCID-bp4u-fm35-fbcu"},{"vulnerability":"VCID-chrn-tyhj-bqez"},{"vulnerability":"VCID-hyv8-4aty-7yhh"},{"vulnerability":"VCID-ma8g-am1x-buhw"},{"vulnerability":"VCID-rpsw-n9zw-3be4"},{"vulnerability":"VCID-tab5-7rre-b3hs"},{"vulnerability":"VCID-uhqc-bgdm-5bhn"},{"vulnerability":"VCID-vwkz-8yc4-jbeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.6.1"}],"aliases":["CVE-2010-4879","GHSA-48r9-4v93-x4wh"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wf5y-5br8-pyeb"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/dompdf/dompdf@0.6.0"}