cvedb.io
CVE-2018-19047
CRITICAL · CVSS 10
EPSS exploitation probability: 0%
Published 2018-11-07T05:29:00.297 · Last modified 2026-06-17T01:48:41.410

Summary

mPDF through 7.1.6, if deployed as a web application that accepts arbitrary HTML, allows SSRF, as demonstrated by a '<img src="http://192.168' substring that triggers a call to getImage in Image/ImageProcessor.php. NOTE: the software maintainer disputes this, stating "If you allow users to pass HTML without sanitising it, you're asking for trouble.

Affected products

mpdf_project — mpdf

Does this affect you?

Add your gear to cvedb and we'll alert you only when mpdf_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.