CVE-2026-27018

Published: Mar 30, 2026 Last Modified: Mar 30, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,8
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability
Potential Impacts:
Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies: AI/ML
Likelihood of Exploit: High
View CWE Details
918

Server-Side Request Forgery (SSRF)

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control
Potential Impacts:
Read Application Data Execute Unauthorized Code Or Commands Bypass Protection Mechanism
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
View CWE Details
https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b…
https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599e…
https://github.com/gotenberg/gotenberg/commit/8625a4e899eb7…
https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7f…
https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0
https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0
https://github.com/gotenberg/gotenberg/security/advisories/…
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r