CVE-2026-40281 Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate...

GHSA-Q7R4-HC83-HF2Q Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)

Vulnerability Details CWE: CWE-20 - Improper Input Validation The metadata value sanitization introduced in v8.30.1 commit 405f106 only validates metadata KEYS via safeKeyPattern regex. Metadata VALUES are passed unsanitized to go-exiftool SetString, which writes them as fmt.Fprintlne.stdin,...