Main Vulnerability Database Vulnerabilities #VU125319

External Control of File Name or Path in gotenberg - #VU125319

Published: April 8, 2026

Vulnerability identifier: #VU125319

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-73

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: thecodingmachine

Affected software:
gotenberg

Detailed vulnerability description

The vulnerability allows a remote attacker to create hard links or symbolic links at arbitrary paths.

The vulnerability exists due to external control of file name or path in pkg/modules/exiftool/exiftool.go when processing metadata write requests through the HTTP API. A remote attacker can supply the HardLink or SymLink pseudo-tags to create hard links or symbolic links at arbitrary paths.

Exploitation was confirmed via the unauthenticated HTTP API, and hard links may persist data beyond temporary directory cleanup.

Remediation

Install security update from vendor's website.

Sources

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-qmwh-9m9c-h36m

External Control of File Name or Path in gotenberg - #VU125319

Detailed vulnerability description

Remediation

Sources

Please verify you're human