8.2
CVE-2026-42590
- EPSS 0.29%
- Veröffentlicht 14.05.2026 15:36:30
- Zuletzt bearbeitet 18.05.2026 12:15:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginGotenberg: ExifTool group-prefix syntax bypasses dangerous-tag blocklist
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Thecodingmachine ≫ Gotenberg Version < 8.30.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.204 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.2 | 3.9 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
|
CWE-184 Incomplete List of Disallowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855