Code Injection in Dompdf - CVE-2022-28368
Published: February 16, 2023 / Updated: May 21, 2026
Vulnerability identifier: #VU72315
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2022-28368
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: dompdf
Affected software:
Dompdf
Dompdf
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when handling "src:url" field of an @font-face Cascading Style Sheets (CSS) statement inside an HTML input file. A remote attacker can link a malicious .php file and execute it on the system with installed Dompd when converting HTML to PDF.
Successful exploitation of the vulnerability can allow an attacker to compromise the affected system.
How to mitigate CVE-2022-28368
Install updates from vendor's website.