CVE-2026-40893 | THREATINT

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. This vulnerability is fixed in 8.31.0.

PUBLISHED Reserved 2026-04-15 | Published 2026-05-14 | Updated 2026-05-14 | Assigner GitHub_M

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Problem types

CWE-73: External Control of File Name or Path

CWE-184: Incomplete List of Disallowed Inputs

Product status

< 8.31.0

affected

References

github.com/...enberg/security/advisories/GHSA-62p3-hvxx-fxg4 exploit

github.com/...enberg/security/advisories/GHSA-62p3-hvxx-fxg4

cve.org (CVE-2026-40893)

nvd.nist.gov (CVE-2026-40893)

Download JSON