We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-1026



Description

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).

Reserved 2025-02-04 | Published 2025-02-05 | Updated 2025-02-05 | Assigner snyk


HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:PHIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P

Problem types

Improper Input Validation

Credits

Chua Jian Shen

Ee Yang Tee

References

security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533024

gist.github.com/...jianshen/6291920112fcf1543fa7b43862112be6

github.com/spatie/browsershot/pull/908

gist.github.com/mrdgef/54a8783408220c67c1b859df38a52d65

github.com/...ommit/e3273974506865a24fbb5b65b534d8d4b8dfbf72

cve.org (CVE-2025-1026)

nvd.nist.gov (CVE-2025-1026)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2025-1026

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.