22 matches found
CVE-2020-13451
CVE-2020-13451 affects Gotenberg up to version 6.2.1. The issue is described as an incomplete-cleanup vulnerability in the Office rendering engine, enabling an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros. Connected documents corroborate the vulnerab...
CVE-2020-13452
Gotenberg <= 6.2.1 is affected by insecure permissions on tini (writable by the gotenberg user), enabling an attacker to overwrite files and potentially trigger denial of service or code execution. Vulnerability details are supported by multiple sources (e.g., Red Hat, CNVD, OSV, Veracode) and...
CVE-2020-13449
CVE-2020-13449 affects Gotenberg's Markdown engine up to version 6.2.1, enabling directory traversal to read arbitrary container files. Root cause: directory traversal in the Markdown renderer. Impact: potential exposure of container files. Exploitation status: the PacketStorm entry indicates a c...
CVE-2020-13450
CVE-2020-13450 concerns Gotenberg, a Docker-powered stateless API for document conversion. The vulnerability is a directory traversal in the file upload function, affecting versions up to 6.2.1 (and earlier per sources). An attacker can upload and overwrite any writable files outside the intended...
CVE-2020-14161
CVE-2020-14161 affects Gotenberg and is exploited as a Server-Side Request Forgery (SSRF) via the /convert/html endpoint. The root cause is insecure handling of the src in HTML elements, enabling an attacker to reference internal files (e.g., file:// URIs) through the chromium module used by the ...
CVE-2020-14160
Gotenberg up to version 6.2.1 contains an SSRF in the remote URL to PDF conversion, allowing an attacker to read local files or access intranet resources. Affected component is the PDF conversion endpoint that processes remote URLs. The issue is evidenced across multiple sources (NVD description ...
CVE-2021-23345
CVE-2021-23345 affects the Go package github.com/thecodingmachine/gotenberg (and related Chromium module) with a Server-Side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute references an internal file (e.g., ). Connected sources confirm this SSRF behavior and provide ...
CVE-2026-40281
Gotenberg 8.x (
CVE-2026-42590
Gotenberg contains a vulnerability (CVE-2026-42590) where ExifTool group-prefix syntax can bypass the dangerous-tag blocklist in metadata handling, allowing arbitrary file rename, move, hardlinks, and symlinks on the server. The issue exists prior to version 8.30.0; the safeKeyPattern and prefix ...
CVE-2026-27018
CVE-2026-27018 affects Gotenberg and is a case-insensitive URL-scheme bypass of the prior fix for CVE-2024-21527. The root cause is a case-sensitive deny-list regex in Chromium URL handling, allowing mixed-case or uppercase schemes to bypass the deny-list. The issue has been patched in Gotenberg ...
CVE-2026-42593
CVE-2026-42593 affects Gotenberg: multiple routes (merge, split, LibreOffice convert, chromium convert variants) improperly accept stampSource=pdf/stampExpression and watermarkSource=pdf/watermarkExpression from anonymous callers. If stampExpression or watermarkExpression points to a file path th...
CVE-2026-42594
Gotenberg CVE-2026-42594 describes an unauthenticated denial of service caused by reuse of echo.Context in the webhook async flow. Prior to 8.32.0, a goroutine holds a reference to the request context after ErrAsyncProcess, and Echo recycles the context to a pool. If a concurrent request reuses t...
CVE-2026-35458
Gotenberg CVE-2026-35458 affects the Chromium module of Gotenberg (forms/chromium/screenshot/url) where user-supplied scope patterns are compiled with dlclark/regexp2 without a timeout, enabling ReDoS/backtracking that can hang workers and impact availability. Affected code paths and versions are...
CVE-2026-42589
Gotenberg exposes an unauthenticated RCE via the /forms/pdfengines/metadata/write endpoint. The root cause is that JSON metadata keys are passed to ExifTool without validation; a newline in a key allows injection of ExifTool flags (e.g., -if), enabling arbitrary code execution as the Gotenberg pr...
CVE-2026-42591
CVE-2026-42591 (Gotenberg) affects the LibreOffice conversion endpoint in Gotenberg up to version 8.32.0. Uploaded documents are passed directly to LibreOffice for conversion without content inspection, enabling SSRF because LibreOffice can fetch embedded external URLs on its own, bypassing the G...
CVE-2026-42592
Gotenberg (v7/v8) contains a DNS rebinding/SSRF issue in the FilterOutboundURL flow. Before 8.32.0, FilterOutboundURL resolves hostnames, filters IPs against a private-address deny-list, but discards the resolved addresses. Chromium then performs its own DNS resolution when navigating to the URL,...
CVE-2026-42596
CVE-2026-42596 describes an unauthenticated SSRF vulnerability in Gotenberg’s default deny-list filtering for the downloadFrom and webhook features. The issue arises because the deny-lists are regex-based and case-sensitive, allowing attacker-controlled URLs (e.g., IPv4-mapped IPv6 loopback forms...
CVE-2026-40280
Gotenberg vulnerability (CVE-2026-40280) enables SSRF through a case-insensitive URL scheme bypass in the webhook and api-download-from deny-lists. In versions
CVE-2026-40893
CVE-2026-40893 (Gotenberg/ExifTool blocklist bypass) Prior to 8.31.0, Gotenberg’s metadata processing only blocked the bare tag name (FileName), allowing group-prefixed tags like System:FileName to bypass the blocklist, enabling remote attackers to rename, move, or alter file permissions within t...
CVE-2026-42597
Gotenberg’s Chromium URL routes (/forms/chromium/convert/url and /forms/chromium/screenshot/url) allow file:// access to /tmp for anonymous callers, enabling cross-request data exfiltration by enumerating work/request directories during overlapping conversions. This is caused by the HTML/Markdown...
CVE-2026-42595
CVE-2026-42595 describes an SSRF flaw in Gotenberg’s Chromium URL endpoint (/forms/chromium/convert/url) prior to version 8.32.0. The default deny-list blocks only file:// URIs, leaving HTTP/HTTPS targets—including internal IPs and cloud metadata endpoints—unrestricted. An unauthenticated attacke...
CVE-2026-39383
Gotenberg (v8.x) is vulnerable to an unauthenticated blind SSRF via the Gotenberg-Webhook-Url header. In 8.29.1, the FilterDeadline gate returns nil when both allow-list and deny-list are empty, allowing outbound HTTP POSTs to arbitrary destinations and enabling internal network probing, forced P...