CVE-2026-42589

Published: Mag 14, 2026 Last Modified: Mag 18, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0009

Percentile

0,2th

Updated

EPSS Score Trend (Last 6 Days)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Non-Repudiation

Potential Impacts:

Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Read Files Or Directories Modify Files Or Directories Read Application Data Modify Application Data Hide Activities

Applicable Platforms

Technologies: Not Technology-Specific, AI/ML, Web Server

Likelihood of Exploit: High

View CWE Details

Application

Gotenberg by Thecodingmachine

Product Information

Vendor Thecodingmachine

Product Gotenberg

Version Range Affected

To 8.31.0 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://github.com/gotenberg/gotenberg/security/advisories/…

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657

https://github.com/gotenberg/gotenberg/security/advisories/…

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657

CVE-2026-42589

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 6 Days)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Common Consequences

Applicable Platforms

Gotenberg by Thecodingmachine

Product Information

Iscriviti alla newsletter