QSearchQSearch

CVE-2026-42591

8.2 HIGH

Gotenberg is a Docker-powered stateless API for PDF files

Published: 2026-05-14 · Last updated: 2026-05-18

Severity and scoring

CVSS
8.2 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE
CWE-918

Affected products

VendorProduct
thecodingmachinegotenberg

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters. This vulnerability is fixed in 8.32.0.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-42597 Gotenberg is a Docker-powered stateless API for PDF files (5.9 MEDIUM)
  • CVE-2026-42596 Gotenberg is a Docker-powered stateless API for PDF files (9.4 CRITICAL)
  • CVE-2026-42595 Gotenberg is a Docker-powered stateless API for PDF files (8.6 HIGH)
  • CVE-2026-42594 Gotenberg is a Docker-powered stateless API for PDF files (7.5 HIGH)
  • CVE-2026-42593 Gotenberg is a Docker-powered stateless API for PDF files (5.3 MEDIUM)

Same CWE

  • CVE-2026-53859 OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-... (6.5 MEDIUM)
  • CVE-2026-47684 Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing (7.7 HIGH)
  • CVE-2025-60175 Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions (4.4 MEDIUM)
  • CVE-2026-50888 An authenticated Server-Side Request Forgery (SSRF) in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allow... (8.1 HIGH)
  • CVE-2026-50887 A Server-Side Request Forgery (SSRF) in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan inte... (9.1 CRITICAL)