SB2026040869 - Multiple vulnerabilities in gotenberg
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper Handling of Case Sensitivity (CVE-ID: N/A)
CWE-ID: CWE-178 - Improper Handling of Case Sensitivity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to write files to arbitrary paths.
The vulnerability exists due to improper handling of case sensitivity in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can send specially crafted metadata with alternate casing for dangerous pseudo-tags to write files to arbitrary paths.
Exploitation was confirmed via the unauthenticated HTTP API, and in containerized deployments the impact is limited to the container filesystem.
2) External Control of File Name or Path (CVE-ID: N/A)
CWE-ID: CWE-73 - External Control of File Name or Path
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to create hard links or symbolic links at arbitrary paths.
The vulnerability exists due to external control of file name or path in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can supply the HardLink or SymLink pseudo-tags to create hard links or symbolic links at arbitrary paths.
Exploitation was confirmed via the unauthenticated HTTP API, and hard links may persist data beyond temporary directory cleanup.
Remediation
Install update from vendor's website.