EXECUTIVE SUMMARY:
CVE-2026-46643 with a CVSS score of 7.5 is a path traversal vulnerability affecting the KnpLabs/knp-snappy package. This vulnerability arises from the fact that the binary path is never shell-escaped due to an inverted is_executable check, allowing an attacker to inject malicious commands. An attacker can exploit this by sourcing the binary path from user-influenced configuration, environment variables derived from request data, or concatenating it with a user-controlled fragment. This allows them to execute arbitrary commands as the PHP process, impacting the security and integrity of the system. The business impact and consequences of exploitation include potential command execution, data tampering, and system compromise. To successfully exploit this vulnerability, an attacker requires write access to the system and the ability to manipulate the binary path.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46643 with a CVSS score of 7.5 is a path traversal vulnerability affecting the KnpLabs/knp-snappy package. This vulnerability arises from the fact that the binary path is never shell-escaped due to an inverted is_executable check, allowing an attacker to inject malicious commands. An attacker can exploit this by sourcing the binary path from user-influenced configuration, environment variables derived from request data, or concatenating it with a user-controlled fragment. This allows them to execute arbitrary commands as the PHP process, impacting the security and integrity of the system. The business impact and consequences of exploitation include potential command execution, data tampering, and system compromise. To successfully exploit this vulnerability, an attacker requires write access to the system and the ability to manipulate the binary path.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update KnpLabs/knp-snappy to version 1.7.2 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-vpr4-p6fq-85jc