GHSA-gq6w-q6wh-jggc · Severity: critical · Ecosystem: composer — PHAR deserialization allowing remote code execution
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If a user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. This vulnerability is capable of remote code execution if Snappy is used with frameworks or developer code with vulnerable POP chains. It has been fixed in version 1.4.2.
Conclusion & alert: CVE-2023-28115 is rated High Exploit Risk (83.3/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 2.76%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-23 | 3.21% | 2.76% | -0.45% |
| 2 | 2026-06-15 | 11.39% | 3.21% | -8.18% |
| 3 | 2026-04-04 | — | 11.39% | — |
Full EPSS history (43 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
GHSA-gq6w-q6wh-jggc · Severity: critical · Ecosystem: composer — PHAR deserialization allowing remote code execution
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2023-28115 not yet assigned priority: Debian including 1 source packages (civicrm), 1 status rows across 1 suites (bullseye): open 1. | https://security-tracker.debian.org/tracker/CVE-2023-28115 |
ubuntu
|
medium | CVE-2023-28115 medium priority: Ubuntu including 1 source packages (civicrm), 13 status rows across 13 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 6, needs-triage 5, ignored 2. | https://ubuntu.com/security/CVE-2023-28115 |