CVE-2026-40281

CRITICAL 10.0

Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values

CVSS Score

10.0

EPSS Score

0.0%

EPSS Percentile

0th

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.

CWE	CWE-88
Vendor	gotenberg
Product	gotenberg
Published	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for gotenberg gotenberg

Be the first to know when new critical vulnerabilities affecting gotenberg gotenberg are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

gotenberg / gotenberg

<= 8.30.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q github.com: https://github.com/gotenberg/gotenberg/commit/405f1069c026bb08f319fb5a44e5c67c33208318