High severity8.2GHSA Advisory· Published May 14, 2026· Updated May 14, 2026

CVE-2026-40893

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.

Affected products

Gotenberg/GotenbergGHSA
Range: <= 8.30.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-62p3-hvxx-fxg4ghsaADVISORY
github.com/gotenberg/gotenberg/security/advisories/GHSA-62p3-hvxx-fxg4nvd
nvd.nist.gov/vuln/detail/CVE-2026-40893ghsa

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000