mPDF 7.0 - Local File Inclusion | Advisories

Advisories

mPDF 7.0 - Local File Inclusion

severity: high
date: January 13, 2026
Affecting: mPDF 7.0
CVE: CVE-2022-50897
CWE: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-50995
Official mPDF Project Homepage
Credit: Musyoka Ian
Description: mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications.