SB2026040869 - Multiple vulnerabilities in gotenberg

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026040869

SB2026040869 - Multiple vulnerabilities in gotenberg

Published: April 8, 2026

Security Bulletin ID SB2026040869
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Handling of Case Sensitivity (CVE-ID: N/A)

The vulnerability allows a remote attacker to write files to arbitrary paths.

The vulnerability exists due to improper handling of case sensitivity in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can send specially crafted metadata with alternate casing for dangerous pseudo-tags to write files to arbitrary paths.

Exploitation was confirmed via the unauthenticated HTTP API, and in containerized deployments the impact is limited to the container filesystem.


2) External Control of File Name or Path (CVE-ID: N/A)

The vulnerability allows a remote attacker to create hard links or symbolic links at arbitrary paths.

The vulnerability exists due to external control of file name or path in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can supply the HardLink or SymLink pseudo-tags to create hard links or symbolic links at arbitrary paths.

Exploitation was confirmed via the unauthenticated HTTP API, and hard links may persist data beyond temporary directory cleanup.


Remediation

Install update from vendor's website.

References