Main Vulnerability Database Vulnerabilities #VU125318

#VU125318 Improper Handling of Case Sensitivity in gotenberg

Published: April 8, 2026

Vulnerability identifier: #VU125318

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-178

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
gotenberg

Software vendor:
thecodingmachine

Description

The vulnerability allows a remote attacker to write files to arbitrary paths.

The vulnerability exists due to improper handling of case sensitivity in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can send specially crafted metadata with alternate casing for dangerous pseudo-tags to write files to arbitrary paths.

Exploitation was confirmed via the unauthenticated HTTP API, and in containerized deployments the impact is limited to the container filesystem.

Remediation

Install security update from vendor's website.

External links

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-qmwh-9m9c-h36m

#VU125318 Improper Handling of Case Sensitivity in gotenberg

Description

Remediation

External links

Please verify you're human