Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10209

spatie/browsershot is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Exposure of Sensitive Information to an Unauthorized Actor Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Feb 21, 2026

47

Medium Risk

This Affects:

PHPspatie/browsershot
2.0.0 - 5.2.0
Fixed in 5.2.1
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to local file read. Insufficient validation of URLs in HTML content allows attackers to bypass protections using UNC paths or protocol-relative URLs pointing to local addresses (for example \\localhost or //127.0.0.1). This can allow unauthorized access to local files when rendering content.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

spatie/browsershot is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in versions 2.0.0 - 5.2.0.

How to fix this

Upgrade the spatie/browsershot library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done