Github.Com Gotenberg Gotenberg V8 vulnerabilities
19 known vulnerabilities affecting github.com/gotenberg_gotenberg_v8.
Total CVEs
19
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH13MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2026-40281P2CRITICAL≥ 0, < 8.31.02026-04-30
CVE-2026-40281 [CRITICAL] CWE-88 Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
## Vulnerability Details
**CWE**: CWE-20 - Improper Input Validation
The metadata value sanitization introduced in v8.30.1 (commit 405f106) only validates metadata KEYS via safeKeyPattern regex. Metadata VALUES are passed unsanitized to go-exifto
ghsa
CVE-2026-42596P2CRITICAL≥ 0, < 8.32.02026-05-07
CVE-2026-42596 [CRITICAL] CWE-918 Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
### Summary
The default deny-lists used by Gotenberg's `downloadFrom` feature and `webhook` feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as `http://[::ffff:127.0.0.1]:...` and rea
ghsa
CVE-2026-35458P3HIGH≥ 0, < 8.30.02026-04-07
CVE-2026-35458 [HIGH] CWE-1333 Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
### Summary
Gotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
### Details
Gotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns (gotenberg/pkg/modules/chromium/routes.go:200) with no
ghsaosv
CVE-2026-40280P3HIGHCVSS 7.8≥ 0, < 8.31.02026-04-30
CVE-2026-40280 [HIGH] CWE-918 Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
## Vulnerability Details
**CWE**: CWE-918 - Server-Side Request Forgery (SSRF)
The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://
ghsa
CVE-2026-42595P3HIGH≥ 0, < 8.32.02026-05-11
CVE-2026-42595 [HIGH] CWE-918 Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
A review of 4 published Gotenberg security advisories exposed an SSRF issue. GHSA-pjrr-jgp4-v2fm covers SSRF via the `downloadFrom` endpoint. GHSA-pcrp-7g9h-7qhp covers SSRF via the `webhook` endpoint. Neither advisory addresses SSRF through the primary Chromium UR
ghsa
CVE-2026-40893P3HIGH≥ 0, ≤ 8.30.12026-05-04
CVE-2026-40893 [HIGH] CWE-20 Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move
Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move
### Summary
Gotenberg blocks certain ExifTool tag names like `FileName` and `Directory` to stop attackers from renaming or moving files on the server. But ExifTool allows a longer form of the same tag — `System:
ghsa
CVE-2024-21527P3HIGHCVSS 8.2≥ 0, < 8.1.02024-07-22
CVE-2024-21527 [HIGH] CVE-2024-21527 in github.com/gotenberg/gotenberg
CVE-2024-21527 in github.com/gotenberg/gotenberg
CVE-2024-21527 in github.com/gotenberg/gotenberg
osv
CVE-2026-42590P3HIGH≥ 0, ≤ 8.29.12026-05-07
CVE-2026-42590 [HIGH] CWE-184 Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
**Summary**
The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m.
**Details**
The blocklist in `pkg/modules/exiftool/exiftool.g
ghsa
CVE-2026-39383P3HIGH≥ 8.29.1, < 8.31.02026-04-30
CVE-2026-39383 [HIGH] CWE-918 Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL
Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL
# CVE Report — Unauthenticated SSRF via Unfiltered Webhook URL in Gotenberg
## Severity
| Field | Value |
|-----------|----------------------------------------|
| CVSS v3.1 | **8.6 High** |
| Vector | `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N` |
| CWE | CWE-918 — Server-Side Request Forgery |
| Auth | None |
**Affected:** Got
ghsa
CVE-2026-42591P3HIGH≥ 0, ≤ 8.31.02026-05-07
CVE-2026-42591 [HIGH] CWE-918 Gotenberg has a Server-Side Request Forgery (SSRF) Issue
Gotenberg has a Server-Side Request Forgery (SSRF) Issue
### Summary
The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg's Go code handles — Chromium asset fetches, webhook delivery, and download-from. The LibreOffice conversion endpoint (`/forms/libreoffice/convert`) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any em
ghsa
CVE-2026-27018P3HIGHCVSS 8.2≥ 0, < 8.29.02026-03-30
CVE-2026-27018 [HIGH] CWE-22 Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
### Impact
The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.
The default `--chromium-deny-list` value is `^file:(?!//\/tmp/).*`. This regex is anchored to lowercase `file:` a
ghsaosv
CVE-2026-42594P3HIGH≥ 0, < 8.32.02026-05-07
CVE-2026-42594 [HIGH] CWE-362 Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
## Summary
The webhook middleware spawns a goroutine that holds a reference to the request's `echo.Context` after the synchronous handler returns `ErrAsyncProcess` and Echo recycles the context back to its `sync.Pool`. When a concurrent request claims the
ghsa
CVE-2026-42597P3MEDIUM≥ 0, < 8.32.02026-05-07
CVE-2026-42597 [MEDIUM] CWE-73 Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme
## Summary
The `/forms/chromium/convert/url` and `/forms/chromium/screenshot/url` routes accept `url=file:///tmp/...` from anonymous callers. The default Chromium deny-list intentionally exempts `file:///tmp/` so HTML/Markdown routes can load their own request-lo
ghsa
CVE-2026-42593P4MEDIUM≥ 0, ≤ 8.31.02026-05-07
CVE-2026-42593 [MEDIUM] CWE-22 Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
## Summary
Six conversion routes (`pdfengines/merge`, `pdfengines/split`, `libreoffice/convert`, `chromium/convert/url`, `chromium/convert/html`, `chromium/convert/markdown`) accept `stampSource=pdf` + `stampExpression=/path` and `watermarkSou
ghsa
CVE-2026-42592P4MEDIUM≥ 0, ≤ 8.31.02026-05-07
CVE-2026-42592 [MEDIUM] CWE-367 Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
## Summary
`FilterOutboundURL` resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hos
ghsa
CVE-2026-45741MEDIUMCVSS 6.3≥ 0, ≤ 8.32.02026-05-29
CVE-2026-45741 [MEDIUM] CWE-184 Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
### Summary
`IsPublicIP` in `pkg/gotenberg/outbound.go` incorrectly classifies IPv6 6to4 / NAT64 / deprecated site-local addresses as public IPs, allowing an unauthenticated attacker to reach internal destinations (e.g., cloud metadata services at `169.254.169.254`) via a
ghsa
CVE-2026-55229HIGH≥ 0, < 8.34.02026-06-18
CVE-2026-55229 [HIGH] CWE-918 Gotenberg: SSRF via LibreOffice document processing
Gotenberg: SSRF via LibreOffice document processing
**Summary**
Server-Side Request Forgery (SSRF) vulnerability affecting the `/forms/libreoffice/convert` endpoint in Gotenberg v8.33.0 running with the default configuration.
By uploading a specially crafted DOCX document, an attacker can cause LibreOffice to automatically retrieve external resources during document conversion. As a result, outbound requests are
ghsa
CVE-2026-45742HIGH≥ 8.10.0, < 8.33.02026-05-29
CVE-2026-45742 [HIGH] CWE-362 Gotenberg has a Race Condition via Multipart `downloadFrom` Handling
Gotenberg has a Race Condition via Multipart `downloadFrom` Handling
### Summary
Gotenberg is vulnerable to a remote denial of service in multipart `downloadFrom` handling.
A multipart request containing multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with `fatal error: concurrent map writes`.
In the de
ghsa
CVE-2026-44829HIGH≥ 0, < 8.33.02026-05-29
CVE-2026-44829 [HIGH] CWE-22 Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename
Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename
### Summary
`filepath.Base` on the Linux container does not strip backslashes (`\`), because `\` is only a path separator on Windows. A multipart filename like `..\..\..\..\Windows\System32\evil.pdf` survives Gotenberg's input sanitisation and lands verbatim as the zip entry name
ghsa