Thecodingmachine Gotenberg
14 CVEs affecting Thecodingmachine Gotenberg. Latest disclosed: 2026-05-14. Critical: 3, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-40281 | Critical | 10.0 | 2026-05-06 | Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control char… |
CVE-2026-42589 | Critical | 9.8 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata… |
CVE-2026-42596 | Critical | 9.4 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature… |
CVE-2026-42595 | High | 8.6 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no defau… |
CVE-2026-42591 | High | 8.2 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded do… |
CVE-2026-42590 | High | 8.2 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's… |
CVE-2026-40893 | High | 8.2 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips righ… |
CVE-2026-42594 | High | 7.5 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's e… |
CVE-2026-40280 | High | 7.5 | 2026-05-05 | Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-dow… |
CVE-2026-27018 | High | 7.5 | 2026-03-30 | Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or upperca… |
CVE-2026-39383 | High | 7.2 | 2026-05-05 | Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HT… |
CVE-2026-42597 | Medium | 5.9 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept ur… |
CVE-2026-42593 | Medium | 5.3 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chro… |
CVE-2026-42592 | Medium | 5.3 | 2026-05-14 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the privat… |