Main Vulnerability Database Vulnerabilities #VU125319

#VU125319 External Control of File Name or Path in gotenberg

Published: April 8, 2026

Vulnerability identifier: #VU125319

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
gotenberg

Software vendor:
thecodingmachine

Description

The vulnerability allows a remote attacker to create hard links or symbolic links at arbitrary paths.

The vulnerability exists due to external control of file name or path in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can supply the HardLink or SymLink pseudo-tags to create hard links or symbolic links at arbitrary paths.

Exploitation was confirmed via the unauthenticated HTTP API, and hard links may persist data beyond temporary directory cleanup.

Remediation

Install security update from vendor's website.

External links

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-qmwh-9m9c-h36m

#VU125319 External Control of File Name or Path in gotenberg

Description

Remediation

External links

Please verify you're human