cbcvebase.
CVE-2026-42591
published 2026-05-14

CVE-2026-42591: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded…

PriorityP347high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.24%
15.5th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters. This vulnerability is fixed in 8.32.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comgotenberg_gotenberg_v80 – 8.31.0
gotenberggotenberg< 8.32.08.32.0
thecodingmachinegotenberg< 8.32.08.32.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.