VIR Vulnerability Intelligence Relay

Package impact

golang Go / github.com/gotenberg/gotenberg/v8

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-42589 critical 9.8 9.8 21d ago Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
CVE-2026-42596 critical 9.4 9.4 21d ago Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
CVE-2026-40281 critical 9.1 9.1 28d ago Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
CVE-2026-42595 high 8.6 8.6 21d ago Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
CVE-2026-42591 high 8.2 8.2 21d ago Gotenberg has a Server-Side Request Forgery (SSRF) Issue
CVE-2026-42590 high 8.2 8.2 21d ago Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
CVE-2026-40893 high 8.2 8.2 21d ago Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move
CVE-2026-42594 high 7.5 7.5 21d ago Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
CVE-2026-40280 high 7.5 7.5 29d ago Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
CVE-2026-27018 high 7.5 7.5 2mo ago Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) in github.com/gotenberg/gotenberg
CVE-2026-39383 high 7.2 7.2 29d ago Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL
CVE-2026-45742 unknown 6d ago Gotenberg has a Race Condition via Multipart `downloadFrom` Handling
CVE-2026-45741 unknown 6d ago Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
CVE-2026-44829 unknown 6d ago Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename