CVE-2022-28368

CRITICAL

dompdf < 1.2.1 - Remote Code Execution via CSS @font-face src:url

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2022-28368. PoCs published by Ravindu Wickramasinghe, rvzsec, rvizx, including Metasploit module exploits/multi/http/dompdf_rce_cve_2022_28368.

AI-analyzed exploit summary This exploit leverages CVE-2022-28368 in Dompdf <1.2.1 to achieve remote code execution by injecting a malicious font file via CSS. It sets up a local HTTP server to serve the payload and triggers a reverse shell.

Description

Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).

Exploits (7)

exploitdb WORKING POC
by Ravindu Wickramasinghe · pythonwebappsphp
https://www.exploit-db.com/exploits/51270

This exploit leverages CVE-2022-28368 in Dompdf <1.2.1 to achieve remote code execution by injecting a malicious font file via CSS. It sets up a local HTTP server to serve the payload and triggers a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dompdf <1.2.1
No auth needed
Prerequisites: Network access to the target Dompdf instance · Ability to inject CSS into the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 16 stars
by rvzsec · poc
https://github.com/rvzsec/CVE-2022-28368

This repository contains a functional exploit for CVE-2022-28368, which targets Dompdf versions <1.2.1. The exploit leverages CSS injection to store a malicious font file with a .php extension in the font cache, leading to remote code execution when accessed.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dompdf <1.2.1
No auth needed
Prerequisites: Access to a vulnerable Dompdf instance · Network connectivity to the target · Ability to host malicious files on an attacker-controlled server
devstral-2 · analyzed Jun 01, 2026 Full analysis →
nomisec WORKING POC 16 stars
by rvizx · poc
https://github.com/rvizx/CVE-2022-28368

This is a functional PoC exploit for CVE-2022-28368, targeting Dompdf versions <1.2.1. It achieves RCE by injecting malicious CSS to store a PHP shell in the font cache, which is then executed via a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dompdf <1.2.1
No auth needed
Prerequisites: Access to a vulnerable Dompdf instance · Ability to inject CSS into the target endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by dugisan3rd · pythonpoc
https://github.com/dugisan3rd/exploit/tree/main/dompdf v1.2.1 RCE (CVE-2022-28368)

This repository contains a functional Python exploit for CVE-2022-28368, which achieves RCE in Dompdf 1.2.1 by leveraging a malicious @font-face CSS rule to fetch and execute a PHP payload disguised as a TTF font file. The exploit automates the process by spinning up a local web server to host the malicious files and triggering the vulnerability via HTTP requests.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dompdf v1.2.1
No auth needed
Prerequisites: Network access to the target Dompdf instance · Ability to host malicious files on an attacker-controlled server · Knowledge of the target's fonts directory path
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Henryisnotavailable · poc
https://github.com/Henryisnotavailable/Dompdf-Exploit-RCE

This exploit leverages CVE-2022-28368 in Dompdf to achieve remote code execution by injecting a malicious CSS file that triggers a request to a PHP payload, which is then executed on the target server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Dompdf (versions affected by CVE-2022-28368)
No auth needed
Prerequisites: Network access to the target Dompdf instance · Ability to host a malicious PHP file and CSS file on an attacker-controlled server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by That-Guy-Steve · poc
https://github.com/That-Guy-Steve/CVE-2022-28368-handler

This Python script exploits CVE-2022-28368, a remote code execution vulnerability in dompdf's cached font handling. It sets up a pseudo-HTTP server to deliver a malicious font file and triggers payload execution via a crafted URL.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: dompdf (versions affected by CVE-2022-28368)
No auth needed
Prerequisites: Network access to the target dompdf instance · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Maximilian Kirchmeier, Fabian Bräunlein, rvizx, msutovsky-r7, Adithya Pawar · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/dompdf_rce_cve_2022_28368.rb

This Metasploit module exploits CVE-2022-28368 in dompdf by leveraging malicious font caching to achieve remote code execution. It serves a crafted CSS file and a PHP-embedded TTF font to the target, which is then cached and executed via a direct HTTP request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: dompdf versions prior to 1.2.1
No auth needed
Prerequisites: Ability to inject HTML/CSS into dompdf-processed data · Web-accessible dompdf font cache directory
devstral-2 · analyzed May 21, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 9.8
EPSS 0.8891
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-79
Status published
Products (2)
dompdf/dompdf 0 - 1.2.1Packagist
dompdf_project/dompdf < 1.2.1
Published Apr 03, 2022
Tracked Since Feb 18, 2026