pkg:Go/github.com/gotenberg/gotenberg/v8

21 total CVEsCRITICAL4HIGH9MEDIUM4

✅ Check your installed version

All known vulnerabilities

  • CRITICAL10.0CVE-2026-40281Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
    from 0, < 8.31.0
  • CRITICAL9.8CVE-2026-42589Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
  • CRITICAL9.4CVE-2026-42596Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
    from 0, < 8.32.0
  • CRITICAL9.3CVE-2026-40280Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
    from 0, < 8.31.0
  • HIGH8.8CVE-2026-44829Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename
    from 0, < 8.33.0
  • HIGH8.6CVE-2026-42595Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
    from 0, < 8.32.0
  • HIGH8.6CVE-2026-39383Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL
    >= 8.29.1, < 8.31.0
  • HIGH8.2CVE-2026-42591Gotenberg has a Server-Side Request Forgery (SSRF) Issue
    from 0, <= 8.31.0
  • HIGH8.2CVE-2026-42590Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
    from 0, <= 8.29.1
  • HIGH8.2CVE-2026-40893Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move
    from 0, <= 8.30.1
  • HIGH7.5CVE-2026-45742Gotenberg has a Race Condition via Multipart `downloadFrom` Handling
    >= 8.10.0, < 8.33.0
  • HIGH7.5CVE-2026-45741Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
    from 0, <= 8.32.0
  • HIGH7.5CVE-2026-42594Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
    from 0, < 8.32.0
  • MEDIUM5.9CVE-2026-42597Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme
    from 0, < 8.32.0
  • MEDIUM5.3CVE-2026-42593Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
    from 0, <= 8.31.0
  • MEDIUM5.3CVE-2026-42592Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
    from 0, <= 8.31.0
  • MEDIUM5.3CVE-2026-42592Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
    from 0
  • CVE-2026-35458Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
    from 0, < 8.30.0
  • CVE-2026-27018Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
    from 0, < 8.29.0
  • CVE-2026-27018Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
    from 0, < 8.29.0
  • CVE-2024-21527CVE-2024-21527 in github.com/gotenberg/gotenberg
    from 0, < 8.1.0