CVE-2026-40281 – Gotenberg

CVSS 10 CRITICAL

“One newline in the wrong place can turn file processing into file takeover.”

Gotenberg released a critical patch for CVE-2026-40281, addressing an argument injection vulnerability in its ExifTool integration. The issue stems from improper sanitization of metadata values, where newline characters can break input parsing and inject unintended arguments. This allows attackers to manipulate file operations inside the container, including renaming, moving, or overwriting files, and creating symlinks or hard links.

CVE-2026-40281 has a CVSS score of 10, which is Critical severity. Public proof-of-concept activity has been identified, increasing the likelihood of exploitation. The patch closes the gap by enforcing stricter validation of metadata values and preventing argument injection through malformed input.

Key Details

Affected Product: Thecodingmachine Gotenberg
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
CWE Classification: CWE-88

Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.

CVE-2026-40281 – Gotenberg

Key Details

Stay Tuned

PLATFORM

SOLUTIONS

RESOURCES

COMPANY

LEGAL

CONTACTS

+1-346-444-8530

Toll Free: 833-444-8530

708 Main St, 10th FL, Houston, TX 77002