CVE-2026-55229

Source
https://cve.org/CVERecord?id=CVE-2026-55229
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55229.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55229
Aliases
Published
2026-07-10T20:35:12.809Z
Modified
2026-07-16T03:31:17.712864463Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Gotenberg: SSRF via LibreOffice document processing
Details

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.34.0, Gotenberg's /forms/libreoffice/convert endpoint allows a specially crafted document to cause LibreOffice to automatically retrieve external HTTP(S) resources and local file resources during document conversion, enabling blind SSRF and limited local file disclosure via linked image resource loading. This issue is fixed in version 8.34.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55229.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/gotenberg/gotenberg

Affected ranges

Type
GIT
Repo
https://github.com/gotenberg/gotenberg
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.34.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0.0
2.*
2.0.0
3.*
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.2.0
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.4.0
5.*
5.0.0
5.0.1
5.0.2
5.1.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.1.1
6.1.2
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.4.3
6.4.4
v7.*
v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.1.0
v7.1.1
v7.10.0
v7.10.1
v7.2.0
v7.3.0
v7.3.1
v7.4.0
v7.4.1
v7.4.2
v7.4.3
v7.5.0
v7.5.1
v7.5.2
v7.5.3
v7.5.4
v7.6.0
v7.6.1
v7.6.2
v7.7.0
v7.7.1
v7.7.2
v7.8.0
v7.8.1
v7.8.2
v7.8.3
v7.9.0
v7.9.1
v7.9.2
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.10.0
v8.11.0
v8.11.1
v8.12.0
v8.13.0
v8.14.0
v8.14.1
v8.15.0
v8.15.1
v8.15.2
v8.15.3
v8.16.0
v8.17.0
v8.17.1
v8.17.2
v8.17.3
v8.18.0
v8.19.0
v8.19.1
v8.2.0
v8.2.1
v8.2.2
v8.20.0
v8.20.1
v8.21.0
v8.21.1
v8.22.0
v8.23.0
v8.23.1
v8.23.2
v8.24.0
v8.25.0
v8.25.1
v8.26.0
v8.27.0
v8.28.0
v8.29.0
v8.29.1
v8.3.0
v8.30.0
v8.30.1
v8.31.0
v8.32.0
v8.33.0
v8.4.0
v8.5.0
v8.5.1
v8.6.0
v8.7.0
v8.8.0
v8.8.1
v8.9.0
v8.9.1
v8.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55229.json"