CVE-2022-50897 HIGH

CVE-2022-50897: mPDF 7.0 - Local File Inclusion

Vendor Mpdf

Product mPDF

Weakness CWE-98 · PHP file inclusion

Published January 13, 2026

Last update March 5, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications.

Key dates

02Disclosure timeline

January 13, 2026 CVE published

March 5, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-50897

Related vulnerabilities

04Related CVE

CVE-2026-28067 WordPress Bassein theme <= 1.0.15 - Local File Inclusion vulnerability CVE-2026-28060 WordPress S.King theme <= 1.5.3 - Local File Inclusion vulnerability CVE-2025-67955 WordPress MyHome Core plugin <= 4.1.0 - Local File Inclusion vulnerability CVE-2025-68536 WordPress Zota theme <= 1.3.14 - Local File Inclusion vulnerability CVE-2025-68539 WordPress Fana theme <= 1.1.35 - Local File Inclusion vulnerability