pkg:Go/github.com/gotenberg/gotenberg/v8

All known vulnerabilities

• CRITICAL10.0CVE-2026-40281Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)
  from 0, < 8.31.0
• CRITICAL9.8CVE-2026-42589Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
• CRITICAL9.4CVE-2026-42596Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
  from 0, < 8.32.0
• CRITICAL9.3Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
  from 0, < 8.31.0
• HIGH8.8Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename
  from 0, < 8.33.0
• HIGH8.6Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
  from 0, < 8.32.0
• HIGH8.6Gotenberg Vulnerable to Unauthenticated SSRF via Unfiltered Webhook URL
  >= 8.29.1, < 8.31.0
• HIGH8.2Gotenberg has a Server-Side Request Forgery (SSRF) Issue
  from 0, <= 8.31.0
• HIGH8.2Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
  from 0, <= 8.29.1
• HIGH8.2Gotenberg has an ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names that Allows Arbitrary File Rename and Move
  from 0, <= 8.30.1
• HIGH7.5Gotenberg has a Race Condition via Multipart `downloadFrom` Handling
  >= 8.10.0, < 8.33.0
• HIGH7.5Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
  from 0, <= 8.32.0
• HIGH7.5Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
  from 0, < 8.32.0
• MEDIUM5.9Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme
  from 0, < 8.32.0
• MEDIUM5.3Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
  from 0, <= 8.31.0
• MEDIUM5.3Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes in github.com/gotenberg/gotenberg
  from 0, <= 8.31.0
• MEDIUM5.3Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes in github.com/gotenberg/gotenberg
  from 0
• —Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
  from 0, < 8.30.0
• —Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) in github.com/gotenberg/gotenberg
  from 0, < 8.29.0
• —Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3) in github.com/gotenberg/gotenberg
  from 0, < 8.29.0
• —CVE-2024-21527 in github.com/gotenberg/gotenberg
  from 0, < 8.1.0