Main Vulnerability Database Vulnerabilities #VU129635

Path traversal in gotenberg - CVE-2026-42593

Published: May 5, 2026

Vulnerability identifier: #VU129635

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-42593

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: thecodingmachine

Affected software:
gotenberg

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in stampExpression and watermarkExpression handling in the merge, split, and convert routes when processing requests with pdf stamp or watermark sources without an uploaded file. A remote attacker can send a specially crafted request with a filesystem path to disclose sensitive information.

In affected deployments, the issue can expose PDF files readable by the Gotenberg process, and non-PDF targets may act as a file-existence oracle.

How to mitigate CVE-2026-42593

Install security update from vendor's website.

Sources

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-3cv5-q585-h563

Path traversal in gotenberg - CVE-2026-42593

Detailed vulnerability description

How to mitigate CVE-2026-42593

Sources

Please verify you're human