All Dompdf CVEs — Complete Vulnerability History
Dompdf renders HTML to PDF in PHP. CVE-2021-3838 is critical and on CISA KEV — RCE via CSS import with a crafted URL. Any app using dompdf to render user-controlled HTML is vulnerable.
PHP
2M+ weekly downloads
1 CVE total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2021-3838 | 2021 | 🔴CRITICAL | RCE via CSS import with crafted URL — CISA KEV | Fixed 2.0.0 |
Current safe version: ^2.0
# Before "dompdf/dompdf": "^1.2"
# After "dompdf/dompdf": "^2.0"
Then run: composer install
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What does CVE-2021-3838 allow an attacker to do?
Execute arbitrary code on the server by injecting a CSS @import rule that loads a PHP file disguised as a font. If your application renders HTML from user input to PDF, this is critical.
How do I safely use dompdf?
Never render user-controlled HTML directly through dompdf. Sanitize all HTML input before passing to dompdf, or use a sandboxed rendering environment.