Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6nv6-chqa-xkbk
Vulnerability ID VCID-6nv6-chqa-xkbk
Aliases CVE-2023-24813
GHSA-56gj-mvh6-rp75
Summary Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-436 Interpretation Conflict
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.09321 https://api.first.org/data/v1/epss?cve=CVE-2023-24813
epss 0.09321 https://api.first.org/data/v1/epss?cve=CVE-2023-24813
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-56gj-mvh6-rp75
cvssv3.1 10.0 https://github.com/dompdf/dompdf
generic_textual CRITICAL https://github.com/dompdf/dompdf
cvssv3.1 10 https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
cvssv3.1 10.0 https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
generic_textual CRITICAL https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
ssvc Track* https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
cvssv3.1 10 https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
cvssv3.1 10.0 https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
cvssv3.1_qr CRITICAL https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
generic_textual CRITICAL https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
ssvc Track* https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
cvssv3.1 10.0 https://nvd.nist.gov/vuln/detail/CVE-2023-24813
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2023-24813
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-24813
https://github.com/dompdf/dompdf
https://nvd.nist.gov/vuln/detail/CVE-2023-24813
95009ea98230f9b084b040c34e3869ef3dccc9aa https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
GHSA-56gj-mvh6-rp75 https://github.com/advisories/GHSA-56gj-mvh6-rp75
GHSA-56gj-mvh6-rp75 https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
Data source Metasploit
Description This module exploits CVE-2022-28368, a Remote Code Execution vulnerability in dompdf versions prior to 1.2.1. The vulnerability exists because dompdf preserves the original file extension when caching fonts downloaded via CSS @font-face rules. By pointing a @font-face src to a .php file containing a valid TrueType font header with embedded PHP code, the file is saved in the dompdf font cache (lib/fonts/) with its .php extension intact. The cached file can then be executed by directly requesting it from the web server. For dompdf versions <= 0.8.5, remote font loading works regardless of the $isRemoteEnabled setting. For versions 0.8.6 through 1.2.0, the $isRemoteEnabled option must be set to true. This module requires the ability to inject HTML/CSS into the data processed by dompdf (e.g., via an XSS, a user-controlled form field, or a direct parameter) and that the dompdf font cache directory is web-accessible.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - artifacts-on-disk
  - ioc-in-logs
Ransomware campaign use Unknown
Source publication date April 5, 2022
Platform PHP
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/dompdf_rce_cve_2022_28368.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/dompdf/dompdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:26Z/ Found at https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:26Z/ Found at https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-24813
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.92937
EPSS Score 0.09321
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:29:09.407576+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2023/24xxx/CVE-2023-24813.json 38.6.0