CVE-2026-42597

< 8.32.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/sc

5.9MEDIUM

CVE-2026-42596

< 8.31.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFro

9.4CRITICAL

CVE-2026-42595

< 8.32.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chrom

8.6HIGH

CVE-2026-42594

< 8.32.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a

7.5HIGH

CVE-2026-42593

< 8.32.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/conver

5.3MEDIUM

CVE-2026-42592

< 8.32.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the re

5.3MEDIUM

CVE-2026-42591

< 8.32.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffic

8.2HIGH

CVE-2026-42590

< 8.30.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can

8.2HIGH

CVE-2026-42589

< 8.31.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endp

9.8CRITICAL

CVE-2026-40893

< 8.31.0

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName,

8.2HIGH

CVE-2026-40281

< 8.31.0

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates m

10.0CRITICAL

CVE-2026-39383

>= 8.29.1 and < 8.31.0

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force t

7.2HIGH

CVE-2026-40280

< 8.31.0

Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --we

7.5HIGH

CVE-2026-35458

< 8.29.1

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplie

9.8CRITICAL

CVE-2026-27018

< 8.29.0

Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypasse

7.5HIGH

CVE-2020-14161

<= 6.2.1

It is possible to inject HTML and/or JavaScript in the HTML to PDF conversion in Gotenberg through 6.2.1 via the /convert/html end

6.1MEDIUM

CVE-2020-14160

<= 6.2.1

An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker be

7.5HIGH

CVE-2021-23345

all versions

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /conver

5.3MEDIUM

CVE-2020-13452

<= 6.2.1

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite

9.8CRITICAL

CVE-2020-13451

<= 6.2.1

An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite Libr

9.8CRITICAL

CVE-2020-13450

<= 6.2.1

A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite

9.8CRITICAL

CVE-2020-13449

<= 6.2.1

A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container fil

7.5HIGH