Thecodingmachine

Gotenberg

22 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.1

CVE-2026-40281

Exploit
  • EPSS 0.61%
  • Veröffentlicht 06.05.2026 20:46:47
  • Zuletzt bearbeitet 11.05.2026 14:46:07

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value spli...

7.2

CVE-2026-39383

Exploit
  • EPSS 0.24%
  • Veröffentlicht 05.05.2026 21:16:22
  • Zuletzt bearbeitet 08.05.2026 19:02:10

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL ...

7.5

CVE-2026-40280

Exploit
  • EPSS 0.46%
  • Veröffentlicht 05.05.2026 20:16:38
  • Zuletzt bearbeitet 08.05.2026 19:06:45

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match UR...

9.8

CVE-2026-35458

Exploit
  • EPSS 0.5%
  • Veröffentlicht 07.04.2026 14:24:21
  • Zuletzt bearbeitet 14.04.2026 20:27:23

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indef...

7.5

CVE-2026-27018

Exploit
  • EPSS 0.54%
  • Veröffentlicht 30.03.2026 20:14:32
  • Zuletzt bearbeitet 29.04.2026 01:00:01

Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

6.1

CVE-2020-14161

  • EPSS 0.9%
  • Veröffentlicht 26.08.2021 11:15:09
  • Zuletzt bearbeitet 21.11.2024 05:02:46

It is possible to inject HTML and/or JavaScript in the HTML to PDF conversion in Gotenberg through 6.2.1 via the /convert/html endpoint.

7.5

CVE-2020-14160

  • EPSS 1.7%
  • Veröffentlicht 26.08.2021 11:15:07
  • Zuletzt bearbeitet 21.11.2024 05:02:46

An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources.

5.3

CVE-2021-23345

Exploit
  • EPSS 1.05%
  • Veröffentlicht 26.02.2021 18:15:12
  • Zuletzt bearbeitet 21.11.2024 05:51:32

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:/...

9.8

CVE-2020-13452

  • EPSS 2.75%
  • Veröffentlicht 07.01.2021 22:15:11
  • Zuletzt bearbeitet 21.11.2024 05:01:18

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.

7.5

CVE-2020-13449

Exploit
  • EPSS 4.94%
  • Veröffentlicht 07.01.2021 22:15:10
  • Zuletzt bearbeitet 21.11.2024 05:01:17

A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container files.