Package impact
GO / github.com/gotenberg/gotenberg/v8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42589 | critical | 9.8 | 9.8 | 21d ago | Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection | |||
| CVE-2026-42596 | critical | 9.4 | 9.4 | 21d ago | Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook | |||
| CVE-2026-40281 | critical | 9.1 | 9.1 | 28d ago | Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix) | |||
| CVE-2026-42597 | medium | 5.9 | 5.9 | 21d ago | Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme | |||
| CVE-2026-42593 | medium | 5.3 | 5.3 | 21d ago | Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes | |||
| CVE-2026-42592 | medium | 5.3 | 5.3 | 21d ago | Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes |