cbcvebase.
CVE-2026-42597
published 2026-05-14

CVE-2026-42597: Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept…

PriorityP335medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.25%
16.3th percentile
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a per-request AllowedFilePrefixes guard to scope the read. The URL routes never set AllowedFilePrefixes, so the scope guard silently skips. Alice enumerates /tmp/, walks Gotenberg's per-request working directories, and reads the raw source files of other in-flight conversions as rendered PDF output. This vulnerability is fixed in 8.32.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
github.comgotenberg_gotenberg_v8>= 0 < 8.32.08.32.0
gotenberggotenberg< 8.32.08.32.0
thecodingmachinegotenberg< 8.32.08.32.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.