spatie/browsershot
Packagist10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting spatie/browsershotpage 1 of 1
- CVE-2020-7790MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.40.12020-12-11
vulnerable: 0.1.0 ... 3.9.0 (91 versions)
This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.
- CVE-2022-41706HIGHCVSS 8.2EG 8.2✓ Fixed in 3.57.32022-11-25
vulnerable: 0.1.0 ... 3.9.0 (123 versions)
Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.
- CVE-2022-43983HIGHCVSS 8.2EG 8.2✓ Fixed in 3.57.32022-11-25
vulnerable: 0.1.0 ... 3.9.0 (123 versions)
Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's…
- CVE-2022-43984HIGHCVSS 8.2EG 8.2✓ Fixed in 3.57.42022-11-25
vulnerable: 0.1.0 ... 3.9.0 (124 versions)
Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::htm…
- CVE-2024-21544HIGHCVSS 8.6EG 8.6✓ Fixed in 5.0.12024-12-13
vulnerable: 0.1.0 ... 5.0.0 (153 versions)
Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before t…
- CVE-2024-21547HIGHCVSS 7.5EG 7.5✓ Fixed in 5.0.22024-12-18
vulnerable: 0.1.0 ... 5.0.1 (154 versions)
Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\. An attacker could read any file on the server by ex…
- CVE-2024-21549HIGHCVSS 8.6EG 8.6✓ Fixed in 5.0.32024-12-20
vulnerable: 0.1.0 ... 5.0.2 (155 versions)
Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, whic…
- CVE-2025-1022HIGHCVSS 8.2EG 8.2✓ Fixed in 5.0.52025-02-05
vulnerable: 0.1.0 ... 5.0.4 (157 versions)
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../..…
- CVE-2025-1026HIGHCVSS 8.6EG 8.6✓ Fixed in 5.0.52025-02-05
vulnerable: 0.1.0 ... 5.0.4 (157 versions)
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive f…
- CVE-2025-3192HIGHCVSS 8.2EG 8.22025-04-04
vulnerable: 0.1.0 ... 5.0.3 (156 versions)
Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its dire…
Check whether spatie/browsershot is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for spatie/browsershot CVEs against the assets you own.
Start Free Scan →