CVE-2026-42593
published 2026-05-14CVE-2026-42593: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.31%
22.8th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg process can access on the container filesystem. This vulnerability is fixed in 8.32.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | 0 – 8.31.0 | — |
| gotenberg | gotenberg | < 8.32.0 | 8.32.0 |
| thecodingmachine | gotenberg | < 8.32.0 | 8.32.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Gotenberg up to 8.31.x PDF File path traversal (GHSA-3cv5-q585-h563 / EUVD-2026-30314)
vuldb·2026-05-14·CVSS 5.3
CVE-2026-42593 [MEDIUM] Gotenberg up to 8.31.x PDF File path traversal (GHSA-3cv5-q585-h563 / EUVD-2026-30314)
A vulnerability marked as critical has been reported in Gotenberg up to 8.31.x. Affected by this vulnerability is an unknown functionality of the component PDF File Handler. This manipulation causes path traversal.
This vulnerability appears as CVE-2026-42593. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
ghsa·2026-05-07
CVE-2026-42593 [MEDIUM] CWE-22 Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
## Summary
Six conversion routes (`pdfengines/merge`, `pdfengines/split`, `libreoffice/convert`, `chromium/convert/url`, `chromium/convert/html`, `chromium/convert/markdown`) accept `stampSource=pdf` + `stampExpression=/path` and `watermarkSource=pdf` + `watermarkExpression=/path` from anonymous callers. The dedicated stamp/watermark routes require an uploaded file when the source type is image or pdf; these six routes only overwrite the expression when a file is uploaded, leaving the user-controlled path intact when no file is attached. pdfcpu opens the path and composites its pages onto the output PDF, which returns to the caller. An attacker reads any PDF the Gotenberg proce
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published