Browse all 5 CVE security advisories affecting gotenberg. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Gotenberg is an API for converting HTML, Markdown, and Office documents to PDF, primarily used for document processing in web applications. Historically, it has been vulnerable to remote code execution (RCE) through template injection, cross-site scripting (XSS) via malicious document content, and privilege escalation through insecure default configurations. The project has addressed multiple CVEs, including RCE flaws in template processing and XSS vulnerabilities in document rendering. While no major public security incidents have been documented, the consistent pattern of template-related RCE vulnerabilities suggests that input validation and sandboxing remain critical areas for secure deployment.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-40281 | Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values — gotenbergCWE-88 | 10.0 | Critical | 2026-05-06 |
| CVE-2026-39383 | Gotenberg unauthenticated blind SSRF via unfiltered webhook URL — gotenbergCWE-918 | 8.2 | - | 2026-05-05 |
| CVE-2026-40280 | Gotenberg SSRF via case-insensitive URL scheme bypass in webhook and downloadFrom deny-lists — gotenbergCWE-918 | 5.3 | - | 2026-05-05 |
| CVE-2026-35458 | Gotenberg has a ReDoS via extraHttpHeaders scope feature — gotenbergCWE-1333 | 6.5AI | MediumAI | 2026-04-07 |
| CVE-2026-27018 | Gotenberg: Chromium deny-list bypass via case-insensitive URL scheme — gotenbergCWE-22 | 5.3 | - | 2026-03-30 |
This page lists every published CVE security advisory associated with gotenberg. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.