High severity8.2GHSA Advisory· Published May 14, 2026· Updated May 14, 2026

CVE-2026-42591

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters. This vulnerability is fixed in 8.32.0.

Affected products

Gotenberg/GotenbergGHSA
Range: <= 8.31.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-rm4c-xj6x-49mwghsaADVISORY
github.com/gotenberg/gotenberg/security/advisories/GHSA-rm4c-xj6x-49mwnvd
nvd.nist.gov/vuln/detail/CVE-2026-42591ghsa

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000