What is CVE-2026-42596?

CVE-2026-42596 is a critical-severity vulnerability in Gotenberg, classified under Server-Side Request Forgery (SSRF). CVSS score: 9.4/10. Published 2026-05-14.

How severe is CVE-2026-42596?

Critical severity. CVSS v3 base score is 9.4 out of 10.

SSRF in Gotenberg

CVE-2026-42596

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauth…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (24.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.4 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.

Affected products

Gotenberg — versions < 8.31.0
Thecodingmachine Gotenberg

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

security-advisories@github.com (x_refsource_CONFIRM, Exploit, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-42596?: CVE-2026-42596 is a critical-severity vulnerability in Gotenberg, classified under Server-Side Request Forgery (SSRF). CVSS score: 9.4/10. Published 2026-05-14.
How severe is CVE-2026-42596?: Critical severity. CVSS v3 base score is 9.4 out of 10.