Cyber Resilience

CVE-2026-42591

HighPublic PoC

Published: 14 May 2026

Published
14 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0024 15.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42591 is a high-severity SSRF (CWE-918) vulnerability in Thecodingmachine Gotenberg. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the…

more

SSRF filters. This vulnerability is fixed in 8.32.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing PDF conversion API endpoint (LibreOffice URL fetch bypass) directly enables T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42596Same product: Thecodingmachine Gotenberg
CVE-2026-42595Same product: Thecodingmachine Gotenberg
CVE-2026-27018Same product: Thecodingmachine Gotenberg
CVE-2026-42589Same product: Thecodingmachine Gotenberg
CVE-2026-40281Same product: Thecodingmachine Gotenberg
CVE-2026-40893Same product: Thecodingmachine Gotenberg
CVE-2026-42590Same product: Thecodingmachine Gotenberg
CVE-2026-35458Same product: Thecodingmachine Gotenberg
CVE-2026-42594Same product: Thecodingmachine Gotenberg
CVE-2024-13195Shared CWE-918

Affected Assets

thecodingmachine
gotenberg
≤ 8.32.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References