VYPR

Gotenberg

by Gotenberg

Source repositories

CVEs (25)

  • CVE-2026-40281CriMay 6, 2026
    risk 0.58cvss 10.0epss 0.01

    Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line…

  • CVE-2026-42589CriMay 14, 2026
    risk 0.57cvss 9.8epss 0.03

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key…

  • CVE-2026-35458CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.01

    Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.

  • CVE-2026-42596CriMay 14, 2026
    risk 0.54cvss 9.4epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such…

  • CVE-2026-42591HigMay 14, 2026
    risk 0.53cvss 8.2epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on…

  • CVE-2026-42595HigMay 14, 2026
    risk 0.49cvss 8.6epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated…

  • CVE-2026-42590HigMay 14, 2026
    risk 0.46cvss 8.2epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool…

  • CVE-2026-40893HigMay 14, 2026
    risk 0.46cvss 8.2epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions…

  • CVE-2024-21527HigJul 19, 2024
    risk 0.46cvss 8.2epss 0.01

    Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are…

  • CVE-2026-45741higMay 29, 2026
    risk 0.45cvss epss 0.00

    ### Summary `IsPublicIP` in `pkg/gotenberg/outbound.go` incorrectly classifies IPv6 6to4 / NAT64 / deprecated site-local addresses as public IPs, allowing an unauthenticated attacker to reach internal destinations (e.g., cloud metadata services at `169.254.169.254`) via a…

  • CVE-2026-42594HigMay 14, 2026
    risk 0.42cvss 7.5epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool.…

  • CVE-2026-40280HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.00

    Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's…

  • CVE-2026-27018HigMar 30, 2026
    risk 0.42cvss 7.5epss 0.01

    Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

  • CVE-2026-39383HigMay 5, 2026
    risk 0.40cvss 7.2epss 0.00

    Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url…

  • CVE-2026-55229higJun 18, 2026
    risk 0.38cvss epss

    **Summary** Server-Side Request Forgery (SSRF) vulnerability affecting the `/forms/libreoffice/convert` endpoint in Gotenberg v8.33.0 running with the default configuration. By uploading a specially crafted DOCX document, an attacker can cause LibreOffice to automatically…

  • CVE-2026-45742higMay 29, 2026
    risk 0.38cvss epss 0.00

    ### Summary Gotenberg is vulnerable to a remote denial of service in multipart `downloadFrom` handling. A multipart request containing multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process…

  • CVE-2026-44829higMay 29, 2026
    risk 0.38cvss epss 0.00

    ### Summary `filepath.Base` on the Linux container does not strip backslashes (`\`), because `\` is only a path separator on Windows. A multipart filename like `..\..\..\..\Windows\System32\evil.pdf` survives Gotenberg's input sanitisation and lands verbatim as the zip entry…

  • CVE-2026-42592MedMay 14, 2026
    risk 0.34cvss 5.3epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS…

  • CVE-2026-42597MedMay 14, 2026
    risk 0.31cvss 5.9epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so…

  • CVE-2026-42593MedMay 14, 2026
    risk 0.27cvss 5.3epss 0.00

    Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf…

Page 1 of 2