216.73.217.22

CVE-2026-40281

· Published 06/05/2026 23:16 · Modified 16/06/2026 13:48 · Author: The MITRE Corporation

Labels: CVE-2026-40281 2026-05-06CVE-2026-40281CWE-88[email protected]

Essential information

Published
06/05/2026 23:16
Modified
16/06/2026 13:48
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
9.1 CRITICAL (v3.1)
CISA KEV
No
CWE
CWE-88
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS metrics

Description

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
gotenberg / gotenberg cpe:2.3:a:gotenberg:gotenberg:<8.30.1:*:*:*:*:*:*:*

References

Related entities

Attack reports, intrusion sets, malwares, attack patterns and indicators linked to this vulnerability.

Attack reports (1)