Critical severity9.8NVD Advisory· Published Apr 7, 2026· Updated Apr 14, 2026

CVE-2026-35458

Description

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/gotenberg/gotenberg/v8Go	< 8.30.0	8.30.0

Affected products

Thecodingmachine/Gotenberg
cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*
Range: <8.29.1

Patches

cfb48d9af48c

fix(regex): add timeout

https://github.com/gotenberg/gotenbergJulien NeuhartApr 2, 2026via ghsa

commit

1 file changed · +1 −0

pkg/modules/chromium/routes.go+1 −0 modified

@@ -202,6 +202,7 @@ func FormDataChromiumOptions(ctx *api.Context) (*api.FormData, Options) {
 						err = errors.Join(err, fmt.Errorf("invalid scope regex pattern for header '%s': %w", k, errCompile))
 						continue
 					}
+					p.MatchTimeout = 5 * time.Second
 					scopeRegexp = p
 				}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992nvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-fmwg-qcqh-m992ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35458ghsaADVISORY
github.com/gotenberg/gotenberg/commit/cfb48d9af48cb236244eabe5c67fe1d30fb3fe25ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000