Security Advisory - Published 2026-06-11 - PHP
PHP CMS and library CVEs: Concrete CMS, DedeCMS, FrankenPHP, and Snappy
This batch affects very different PHP stacks, but the site-owner checklist is similar: confirm the exact package or CMS version, check whether untrusted users can upload or influence files, review logs around content editing and PDF generation, then patch or isolate the affected component.
What is affected
| CVE | Product | Risk condition | Patch target |
|---|---|---|---|
| CVE-2026-10721 | Concrete CMS | PHP object injection risk when unsafe serialized data can reach vulnerable components. | 9.5.2 or newer |
| CVE-2026-38615 | DedeCMS | Command execution risk in vulnerable file management code. | Vendor-fixed build or remove exposed legacy install |
| CVE-2026-45062 | FrankenPHP | PHP script routing confusion when deployments let users place files that the server may execute. | 1.12.3 or newer |
| CVE-2026-46643 | KnpLabs Snappy | PDF/image generation risk when the binary path can be influenced by user or environment data. | 1.7.1 or newer |
| CVE-2026-46683 | KnpLabs Snappy | SSRF and local file read risk when untrusted stylesheet options can influence rendering. | 1.7.0 or newer |
Inventory checks
composer show | egrep 'concrete|frankenphp|knplabs/knp-snappy'
php -v
find . -maxdepth 4 -iname 'composer.lock' -o -iname 'concrete.php' -o -iname 'include.php' | head -100 For CMS installations, check the running site, not just a backup directory. For Snappy and FrankenPHP, check application dependency locks, container image tags, process command lines, and deployment templates.
Exposure checks
- Concrete CMS: identify sites below 9.5.2 and review recent cache, permission, and search-related errors.
- DedeCMS: legacy DedeCMS installs should be removed from public web roots if they are not actively maintained.
- FrankenPHP: review upload, media, file-sharing, and CMS-generated file paths before assuming the routing bug is unreachable.
- Snappy: confirm the path to wkhtmltopdf or wkhtmltoimage is hard-coded by trusted config, and block untrusted stylesheet or URL options from PDF jobs.
Logs and compromise indicators
- Unexpected PHP files in upload, cache, media, or temporary directories.
- New scheduled jobs, systemd units, or shell history around web-server users.
- PDF generation jobs that reference unusual binary paths or tenant-controlled settings.
- CMS admin logins immediately before plugin, template, or file-manager changes.
- Web server errors involving unserialize, command execution, missing binaries, or PHP script routing.
Safe fix path
- Patch Concrete CMS, FrankenPHP, and Snappy to fixed versions where available.
- Remove unused legacy DedeCMS directories from public web roots.
- For file upload features, make sure user files cannot be interpreted as PHP.
- Pin PDF-rendering binary paths in trusted configuration and validate executability at startup.
- Run PDF-rendering workers with tight outbound network rules and no access to local secrets.
- Restart PHP-FPM, FrankenPHP, queue workers, and PDF-rendering workers after patching.
Ping7 repair path
Ping7 can review PHP versions, CMS installs, Composer locks, upload directories, PDF rendering config, and post-patch cleanup. Start from CVE Repair if the site contains customer uploads, admin file management, or unexplained PHP files.