Cyber Posture

CVE-2026-40281

Critical

Published: 06 May 2026

Published
06 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0009 24.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40281 is a critical-severity Argument Injection (CWE-88) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin…

more

line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-88

Affected Products

In
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-26194Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-40113Shared CWE-88
CVE-2025-41761Shared CWE-88
CVE-2026-25134Shared CWE-88
CVE-2026-42284Shared CWE-88
CVE-2026-2298Shared CWE-88
CVE-2026-24061Shared CWE-88
CVE-2026-24126Shared CWE-88
CVE-2025-0065Shared CWE-88

References