CVE-2026-40281

Source
https://cve.org/CVERecord?id=CVE-2026-40281
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40281.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40281
Aliases
Published
2026-05-06T20:46:47.960Z
Modified
2026-07-08T08:13:12.732405524Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H CVSS Calculator
Summary
Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values
Details

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40281.json",
    "cwe_ids": [
        "CWE-88"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/gotenberg/gotenberg

Affected ranges

Type
GIT
Repo
https://github.com/gotenberg/gotenberg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.31.0"
        }
    ]
}

Affected versions

1.*
1.0.0
2.*
2.0.0
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.2.0
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.4.0
5.*
5.0.0
5.0.1
5.0.2
5.1.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.1.1
6.1.2
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.1.0
v7.1.1
v7.10.0
v7.10.1
v7.2.0
v7.3.0
v7.3.1
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.6.0
v7.6.1
v7.6.2
v7.7.0
v7.7.1
v7.7.2
v7.8.0
v7.8.1
v7.8.2
v7.8.3
v7.9.0
v7.9.1
v7.9.2
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.10.0
v8.11.0
v8.11.1
v8.12.0
v8.13.0
v8.14.0
v8.14.1
v8.15.0
v8.15.1
v8.15.2
v8.15.3
v8.16.0
v8.17.0
v8.17.1
v8.17.2
v8.17.3
v8.18.0
v8.19.0
v8.19.1
v8.2.0
v8.2.1
v8.2.2
v8.20.0
v8.20.1
v8.21.0
v8.21.1
v8.22.0
v8.23.0
v8.23.1
v8.23.2
v8.24.0
v8.25.0
v8.25.1
v8.26.0
v8.27.0
v8.28.0
v8.29.0
v8.29.1
v8.3.0
v8.30.0
v8.30.1
v8.4.0
v8.5.0
v8.5.1
v8.6.0
v8.7.0
v8.8.0
v8.8.1
v8.9.0
v8.9.1
v8.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40281.json"