Thecodingmachine Gotenberg — known CVE vulnerabilities
Every CVE whose affected-product data names Thecodingmachine Gotenberg, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (22)
CVE-2026-40281 — CVSS 10.0 (critical): Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata…
CVE-2026-42589 — CVSS 9.8 (critical): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint…
CVE-2020-13452 — CVSS 9.8 (critical): In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file…
CVE-2020-13450 — CVSS 9.8 (critical): A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any…
CVE-2020-13451 — CVSS 9.8 (critical): An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice…
CVE-2026-35458 — CVSS 9.8 (critical): Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope…
CVE-2026-42596 — CVSS 9.4 (critical): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature…
CVE-2026-42595 — CVSS 8.6 (high): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/conver…
CVE-2026-42591 — CVSS 8.2 (high): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert)…
CVE-2026-42590 — CVSS 8.2 (high): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be…
CVE-2026-40893 — CVSS 8.2 (high): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so…
CVE-2020-13449 — CVSS 7.5 (high): A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container files.
CVE-2020-14160 — CVSS 7.5 (high): An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able…
CVE-2026-27018 — CVSS 7.5 (high): Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using…
CVE-2026-40280 — CVSS 7.5 (high): Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the…
CVE-2026-42594 — CVSS 7.5 (high): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a…
CVE-2026-39383 — CVSS 7.2 (high): Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server…
CVE-2020-14161 — CVSS 6.1 (medium): It is possible to inject HTML and/or JavaScript in the HTML to PDF conversion in Gotenberg through 6.2.1 via the /convert/html endpoint.
CVE-2026-42597 — CVSS 5.9 (medium): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/u…
CVE-2026-42592 — CVSS 5.3 (medium): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved…
CVE-2026-42593 — CVSS 5.3 (medium): Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert…
CVE-2021-23345 — CVSS 5.3 (medium): All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html…