Security Advisory - Published 2026-06-11 - PHP

PHP CMS and library CVEs: Concrete CMS, DedeCMS, FrankenPHP, and Snappy

This batch affects very different PHP stacks, but the site-owner checklist is similar: confirm the exact package or CMS version, check whether untrusted users can upload or influence files, review logs around content editing and PDF generation, then patch or isolate the affected component.

Defensive scope: this page avoids attack strings and crafted file examples. It focuses on inventory, exposure conditions, logs, and safe updates.

What is affected

CVEProductRisk conditionPatch target
CVE-2026-10721Concrete CMSPHP object injection risk when unsafe serialized data can reach vulnerable components.9.5.2 or newer
CVE-2026-38615DedeCMSCommand execution risk in vulnerable file management code.Vendor-fixed build or remove exposed legacy install
CVE-2026-45062FrankenPHPPHP script routing confusion when deployments let users place files that the server may execute.1.12.3 or newer
CVE-2026-46643KnpLabs SnappyPDF/image generation risk when the binary path can be influenced by user or environment data.1.7.1 or newer
CVE-2026-46683KnpLabs SnappySSRF and local file read risk when untrusted stylesheet options can influence rendering.1.7.0 or newer

Inventory checks

composer show | egrep 'concrete|frankenphp|knplabs/knp-snappy'
php -v
find . -maxdepth 4 -iname 'composer.lock' -o -iname 'concrete.php' -o -iname 'include.php' | head -100

For CMS installations, check the running site, not just a backup directory. For Snappy and FrankenPHP, check application dependency locks, container image tags, process command lines, and deployment templates.

Exposure checks

  • Concrete CMS: identify sites below 9.5.2 and review recent cache, permission, and search-related errors.
  • DedeCMS: legacy DedeCMS installs should be removed from public web roots if they are not actively maintained.
  • FrankenPHP: review upload, media, file-sharing, and CMS-generated file paths before assuming the routing bug is unreachable.
  • Snappy: confirm the path to wkhtmltopdf or wkhtmltoimage is hard-coded by trusted config, and block untrusted stylesheet or URL options from PDF jobs.

Logs and compromise indicators

  • Unexpected PHP files in upload, cache, media, or temporary directories.
  • New scheduled jobs, systemd units, or shell history around web-server users.
  • PDF generation jobs that reference unusual binary paths or tenant-controlled settings.
  • CMS admin logins immediately before plugin, template, or file-manager changes.
  • Web server errors involving unserialize, command execution, missing binaries, or PHP script routing.

Safe fix path

  1. Patch Concrete CMS, FrankenPHP, and Snappy to fixed versions where available.
  2. Remove unused legacy DedeCMS directories from public web roots.
  3. For file upload features, make sure user files cannot be interpreted as PHP.
  4. Pin PDF-rendering binary paths in trusted configuration and validate executability at startup.
  5. Run PDF-rendering workers with tight outbound network rules and no access to local secrets.
  6. Restart PHP-FPM, FrankenPHP, queue workers, and PDF-rendering workers after patching.

Ping7 repair path

Ping7 can review PHP versions, CMS installs, Composer locks, upload directories, PDF rendering config, and post-patch cleanup. Start from CVE Repair if the site contains customer uploads, admin file management, or unexplained PHP files.

References