cbcvebase.
CVE-2026-40893
published 2026-05-14

CVE-2026-40893: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips…

PriorityP352high8.2CVSS 3.1
AVNACLPRNUINSUCNIHAL
EPSS
0.35%
26.6th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comgotenberg_gotenberg_v80 – 8.30.1
gotenberggotenberg< 8.31.08.31.0
thecodingmachinegotenberg< 8.31.08.31.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.