TCPDF vulnerable to Regular Expression Denial of Service
TCPDF version <=6.7.4 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.
Advisories for Composer/Tecnickcom/Tcpdf package
2024
TCPDF Cross-site Scripting vulnerability
TCPDF before 6.7.4 mishandles calls that use HTML syntax.
2018
Deserialization of Untrusted Data
Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.