CVE-2026-27018

HighPublic PoC

Published: 30 March 2026

Published

30 March 2026

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0002 6.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27018 is a high-severity Path Traversal (CWE-22) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of flaws such as CVE-2026-27018 by upgrading Gotenberg to the patched version 8.29.0.

SI-10 Information Input Validation good match

prevent

Mandates validation of information inputs like URL schemes to prevent bypasses via mixed-case or uppercase variations exploited in this vulnerability.

SC-7 Boundary Protection partial match

preventdetect

Enforces boundary protection to monitor and control communications, mitigating SSRF attempts by restricting unauthorized outbound requests triggered by malformed URL schemes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

SSRF + path traversal in public-facing Gotenberg API enables direct exploitation of the service (T1190) and reading of local files/sensitive data (T1005) by bypassing URL scheme filters.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

Deeper analysisAI

CVE-2026-27018 is a vulnerability in Gotenberg, an API for converting document formats, affecting versions prior to 8.29.0. It allows bypassing the fix previously introduced for CVE-2024-21527 by using mixed-case or uppercase URL schemes. The issue is classified under CWE-22 (Path Traversal) and CWE-918 (Server-Side Request Forgery), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-accessible exploitation.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By submitting requests with manipulated URL schemes, they can circumvent the prior mitigation, potentially achieving unauthorized access to sensitive data as reflected in the high confidentiality impact score.

The vulnerability has been addressed in Gotenberg version 8.29.0. Mitigation details are available in the GitHub security advisory GHSA-jjwv-57xh-xr6r, the release notes at v8.29.0, and associated commits 06b2b2e10c52b58135edbfe82e94d599eb0c5a11 and 8625a4e899eb75e6fcf46d28394334c7fd79fff5. Security practitioners should upgrade to the patched version immediately.