Cyber Resilience

CVE-2026-42590

HighPublic PoC

Published: 14 May 2026

Published
14 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0029 20.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42590 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports…

more

group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1222.002 Linux and Mac Permissions Defense Impairment
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.
Why these techniques?

Direct exploitation of public-facing PDF API (T1190) via blocklist bypass enabling Linux file/permission manipulation (T1222.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40893Same product: Thecodingmachine Gotenberg
CVE-2026-42596Same product: Thecodingmachine Gotenberg
CVE-2026-42589Same product: Thecodingmachine Gotenberg
CVE-2026-42591Same product: Thecodingmachine Gotenberg
CVE-2026-42595Same product: Thecodingmachine Gotenberg
CVE-2026-40281Same product: Thecodingmachine Gotenberg
CVE-2026-27018Same product: Thecodingmachine Gotenberg
CVE-2026-42594Same product: Thecodingmachine Gotenberg
CVE-2026-35458Same product: Thecodingmachine Gotenberg
CVE-2025-48732Shared CWE-184

Affected Assets

thecodingmachine
gotenberg
≤ 8.30.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-184

Spam filters rely on evolving blacklists, signatures, and heuristics of disallowed message patterns; keeping them updated per the control directly mitigates incomplete disallowed-input lists.

References