PatchSiren

Thecodingmachine CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Thecodingmachine CVE published 2026-05-14

CVE-2026-42597

Gotenberg versions prior to 8.32.0 contain a path traversal vulnerability in the URL-based conversion and screenshot routes. The `/forms/chromium/convert/url` and `/forms/chromium/screenshot/url` endpoints accept `url=file:///tmp/...` from unauthenticated callers. While Gotenberg's default Chromium deny-list intentionally exempts `file:///tmp/` to support HTML/Markdown routes loading request-local assets, [truncated]

HIGH Thecodingmachine CVE published 2026-05-14

CVE-2026-42594

A race condition in Gotenberg's webhook middleware allows unauthenticated remote attackers to crash the service. The vulnerability stems from improper handling of Echo's context lifecycle: after a synchronous handler returns ErrAsyncProcess, the webhook middleware spawns a goroutine that retains a reference to the request's echo.Context. Echo recycles this context to its sync.Pool, and when a concurrent r [truncated]

MEDIUM Thecodingmachine CVE published 2026-05-14

CVE-2026-42593

Gotenberg versions prior to 8.32.0 contain a path traversal vulnerability in PDF processing endpoints. Six API routes—pdfengines/merge, pdfengines/split, libreoffice/convert, and three chromium/convert variants—accept stampSource=pdf and watermarkSource=pdf parameters paired with user-controlled stampExpression and watermarkExpression paths. When no file is uploaded, these routes fail to sanitize the expr [truncated]

MEDIUM Thecodingmachine CVE published 2026-05-14

CVE-2026-42592

A time-of-check to time-of-use (TOCTOU) vulnerability in Gotenberg's URL filtering allows DNS rebinding attacks against internal services. The FilterOutboundURL function performs initial DNS resolution and IP validation, but discards resolved addresses. Chromium subsequently performs its own DNS resolution when navigating, creating a window where an attacker controlling DNS with short TTL records can retu [truncated]

HIGH Thecodingmachine CVE published 2026-05-14

CVE-2026-42590

CVE-2026-42590 affects Gotenberg before 8.30.0. A metadata-write blocklist in the ExifTool integration can be bypassed using ExifTool group-prefix syntax, and some pseudo-tags were not blocked at all. The result is unauthorized file manipulation on the server, with integrity impact and limited availability impact.

HIGH Thecodingmachine CVE published 2026-05-14

CVE-2026-40893

CVE-2026-40893 is a high-severity vulnerability in Gotenberg, a Docker-powered stateless API for PDF files. The issue stems from an incomplete validation of ExifTool metadata tags. Prior to version 8.31.0, Gotenberg only checked for an exact match of the tag name `FileName`, allowing the variant `System:FileName` to bypass validation. ExifTool would then process this tag, enabling remote attackers to move [truncated]