Primary

Context

mPDF Local File Inclusion Vulnerability

Vulnerability

A local file inclusion vulnerability has been identified in mPDF version 7.0. This vulnerability allows attackers to read arbitrary system files by manipulating annotation file parameters. Exploitation involves crafting annotation content with file path specifications, which can include local files through URL-encoded or base64 payloads.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive system files, potentially allowing for further attacks or information disclosure.

Reproduction

To reproduce this vulnerability, create an mPDF document and include an annotation with a file path specification in the 'file' attribute. The annotation content can be crafted to include URL-encoded or base64-encoded payloads that reference local files. When the document is processed, the specified files will be included, demonstrating the local file inclusion vulnerability.

Added: Jan 13, 2026, 11:21 PM

Updated: Jan 13, 2026, 11:21 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

3.3

exploitability

6.0

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

3.3

exploitability

6.0

remediation

0.0

relevance

2.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

mPDF Local File Inclusion Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

mPDF

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating