汇总 mpdf_project 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 SSRF与文件包含,在 软件部署与生产负载 使用场景中可能带来 文件覆盖与未授权访问 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2022-50897 | mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. | [email protected] | 8.7 | 0.47% | 2026-01-13 | 2026-02-02 |
| CVE-2019-1000005 | mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content <img src="phar://path/to/crafted/image">. This vulnerability appears to have been fixed in 7.1.8. | [email protected] | 8.8 | 2.10% | 2019-02-04 | 2024-11-21 |
| CVE-2018-19047 | mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HTML without sanitising it, you're asking for trouble. | [email protected] | 10.0 | 2.08% | 2018-11-07 | 2024-11-21 |