doc: add warning based on wkhtmltopdf recommendations

Author: Arthurlbc

README.md

@@ -25,6 +25,30 @@ composer require knplabs/knp-snappy
 
 ## Usage
 
+> ⚠️ **Security Warning**
+>
+> A critical vulnerability was discovered in the use of the `--enable-local-file-access` option in `wkhtmltopdf`.
+> When enabled and used with untrusted HTML or JavaScript, this option may allow access to local files or even result in **remote code execution**, leading to a **full server compromise**.
+>
+> To reduce the risk:
+> - **Avoid enabling `--enable-local-file-access` unless absolutely necessary.**
+> - **Never process untrusted or user-supplied HTML/JS without strict sanitization.**
+> - **Run `wkhtmltopdf` in a sandbox** using tools like **AppArmor** or **SELinux**.
+> - Consider safer alternatives for untrusted content, such as **WeasyPrint**, **Prince** (commercial), or **Puppeteer** for JavaScript-heavy content.
+>
+> This vulnerability was discovered and responsibly disclosed by  
+> **Nikita Sveshnikov (Positive Technologies)**.
+>
+> 🔗 [Official security recommendations](https://wkhtmltopdf.org/status.html#recommendations)
+### ⚠️ Unsafe Options Overview
+
+| Option                      | Risk Level | Description                                             |
+|----------------------------|------------|---------------------------------------------------------|
+| `--enable-local-file-access` | High       | Allows access to local files from HTML – dangerous if input is not trusted |
+| `--enable-javascript`             | High       | Executes JavaScript – can be abused with user input     |
+
+
+
 ### Initialization
 ```php
 <?php