Gotenberg has a Server-Side Request Forgery (SSRF) Issue

Summary The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg's Go code handles — Chromium asset fetches, webhook delivery, and download-from. The LibreOffice conversion endpoint /forms/libreoffice/convert passes uploaded documents directly to LibreOffice without inspecti...

PT-2026-38381

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.30.0 Description The ExifTool metadata write blocklist can be bypassed using group-prefix syntax, allowing an attacker to perform arbitrary file rename, move, hardlink, and symlink creation on the server. The...