CVE-2026-42589

9.8 CRITICAL

Gotenberg is a Docker-powered stateless API for PDF files

Published: 2026-05-14 · Last updated: 2026-05-18

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78

Affected products

Vendor	Product
thecodingmachine	gotenberg

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42589
[Vendor advisory]https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657
[Vendor advisory]https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657

Related CVEs

Same vendor

CVE-2026-42597 — Gotenberg is a Docker-powered stateless API for PDF files (5.9 MEDIUM)
CVE-2026-42596 — Gotenberg is a Docker-powered stateless API for PDF files (9.4 CRITICAL)
CVE-2026-42595 — Gotenberg is a Docker-powered stateless API for PDF files (8.6 HIGH)
CVE-2026-42594 — Gotenberg is a Docker-powered stateless API for PDF files (7.5 HIGH)
CVE-2026-42593 — Gotenberg is a Docker-powered stateless API for PDF files (5.3 MEDIUM)

Same CWE

CVE-2026-42846 — ClipBucket v5 is an open source video sharing platform (9.8 CRITICAL)
CVE-2026-45172 — Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0....
CVE-2026-48547 — KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands ... (7.3 HIGH)
CVE-2026-49261 — MariaDB server is a community developed fork of MySQL server (10.0 CRITICAL)
CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)