CVE-2026-40893

Source
https://cve.org/CVERecord?id=CVE-2026-40893
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40893.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40893
Aliases
Published
2026-05-14T15:18:27.758Z
Modified
2026-07-08T08:13:12.568601349Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
Gotenberg: ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names Allows Arbitrary File Rename and Move
Details

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40893.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-184",
        "CWE-73"
    ]
}
References

Affected packages

Git / github.com/gotenberg/gotenberg

Affected ranges

Type
GIT
Repo
https://github.com/gotenberg/gotenberg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.31.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

1.*
1.0.0
2.*
2.0.0
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.2.0
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.4.0
5.*
5.0.0
5.0.1
5.0.2
5.1.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.1.1
6.1.2
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.1.0
v7.1.1
v7.10.0
v7.10.1
v7.2.0
v7.3.0
v7.3.1
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.6.0
v7.6.1
v7.6.2
v7.7.0
v7.7.1
v7.7.2
v7.8.0
v7.8.1
v7.8.2
v7.8.3
v7.9.0
v7.9.1
v7.9.2
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.10.0
v8.11.0
v8.11.1
v8.12.0
v8.13.0
v8.14.0
v8.14.1
v8.15.0
v8.15.1
v8.15.2
v8.15.3
v8.16.0
v8.17.0
v8.17.1
v8.17.2
v8.17.3
v8.18.0
v8.19.0
v8.19.1
v8.2.0
v8.2.1
v8.2.2
v8.20.0
v8.20.1
v8.21.0
v8.21.1
v8.22.0
v8.23.0
v8.23.1
v8.23.2
v8.24.0
v8.25.0
v8.25.1
v8.26.0
v8.27.0
v8.28.0
v8.29.0
v8.29.1
v8.3.0
v8.30.0
v8.30.1
v8.4.0
v8.5.0
v8.5.1
v8.6.0
v8.7.0
v8.8.0
v8.8.1
v8.9.0
v8.9.1
v8.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40893.json"