EIP-2026-112574

PRE-CVE

TCPDF Library 5.9 - Arbitrary File Deletion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-112574. PoCs published by Filippo Roncari.

AI-analyzed exploit summary This is a detailed technical analysis of a PHP object injection vulnerability in the TCPDF library (version <= 5.9). The vulnerability allows arbitrary file deletion via the __destruct() magic method, which calls unlink() on a controlled path through the buffer property.

Description

TCPDF Library 5.9 - Arbitrary File Deletion

Exploits (1)

exploitdb WRITEUP

by Filippo Roncari · textwebappsphp

https://www.exploit-db.com/exploits/37151

View Code ZIP pw:eip

This is a detailed technical analysis of a PHP object injection vulnerability in the TCPDF library (version <= 5.9). The vulnerability allows arbitrary file deletion via the __destruct() magic method, which calls unlink() on a controlled path through the buffer property.

Classification

Writeup 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Reliable

Target: TCPDF library <= 5.9

No auth needed

Prerequisites: Application using TCPDF library with unserialize() on user-controlled input

MITRE ATT&CK

T1559 - Inter-Process Communication

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026