CVE-2026-27018

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27018
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27018.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27018
Aliases
Downstream
Related
Published
2026-03-30T20:14:32.860Z
Modified
2026-04-10T05:37:03.974638Z
Severity
  • 7.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Gotenberg: Chromium deny-list bypass via case-insensitive URL scheme
Details

Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

Database specific 
{
    "cwe_ids": [
        "CWE-22",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27018.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/gotenberg/gotenberg

Affected ranges

Type
GIT
Repo
https://github.com/gotenberg/gotenberg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5be574081c79cacd5c05c91d0fa5fd5c7b4a9ea4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.29.0"
        }
    ]
}

Affected versions

1.*
1.0.0
2.*
2.0.0
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.2.0
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.4.0
5.*
5.0.0
5.0.1
5.0.2
5.1.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.1.1
6.1.2
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.1.0
v7.1.1
v7.10.0
v7.10.1
v7.2.0
v7.3.0
v7.3.1
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.6.0
v7.6.1
v7.6.2
v7.7.0
v7.7.1
v7.7.2
v7.8.0
v7.8.1
v7.8.2
v7.8.3
v7.9.0
v7.9.1
v7.9.2
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.10.0
v8.11.0
v8.11.1
v8.12.0
v8.13.0
v8.14.0
v8.14.1
v8.15.0
v8.15.1
v8.15.2
v8.15.3
v8.16.0
v8.17.0
v8.17.1
v8.17.2
v8.17.3
v8.18.0
v8.19.0
v8.19.1
v8.2.0
v8.2.1
v8.2.2
v8.20.0
v8.20.1
v8.21.0
v8.21.1
v8.22.0
v8.23.0
v8.23.1
v8.23.2
v8.24.0
v8.25.0
v8.25.1
v8.26.0
v8.27.0
v8.28.0
v8.3.0
v8.4.0
v8.5.0
v8.5.1
v8.6.0
v8.7.0
v8.8.0
v8.8.1
v8.9.0
v8.9.1
v8.9.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27018.json"