Main Vulnerability Database Vulnerabilities #VU125318

Improper Handling of Case Sensitivity in gotenberg - #VU125318

Published: April 8, 2026

Vulnerability identifier: #VU125318

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-178

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: thecodingmachine

Affected software:
gotenberg

Detailed vulnerability description

The vulnerability allows a remote attacker to write files to arbitrary paths.

The vulnerability exists due to improper handling of case sensitivity in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can send specially crafted metadata with alternate casing for dangerous pseudo-tags to write files to arbitrary paths.

Exploitation was confirmed via the unauthenticated HTTP API, and in containerized deployments the impact is limited to the container filesystem.

Remediation

Install security update from vendor's website.

Sources

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-qmwh-9m9c-h36m

Improper Handling of Case Sensitivity in gotenberg - #VU125318

Detailed vulnerability description

Remediation

Sources

Please verify you're human