OS Command Injection in gotenberg - CVE-2026-42589
Published: May 5, 2026
gotenberg
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command in the /forms/pdfengines/metadata/write endpoint when processing JSON metadata keys. A remote attacker can send a specially crafted HTTP request with a metadata key containing embedded newline characters to execute arbitrary code.
The issue occurs because newline characters in a JSON metadata key are forwarded to ExifTool and can inject additional flags such as -if, which evaluates Perl expressions.