CVE-2026-42591HIGH 8.2EPSS p15.4%

CVE-2026-42591CVE-2026-42591

Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely bypassing the SSRF filters. This vulnerability is fixed in 8.32.0.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.24% probability of exploitation · percentile 15.4% · 2026-06-19T12:03:05Z
Published2026-05-14
Last modified2026-05-18

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rm4c-xj6x-49mw
  2. https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rm4c-xj6x-49mw

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42595
CVE
CVE-2026-42596
CVE
CVE-2026-42589
CVE
CVE-2026-40281
CVE
CVE-2026-40893
CVE
CVE-2026-42590
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.