Skip to main content

Gotenberg

2 CVEs product

Monthly

CVE-2026-35458 Go HIGH PATCH GHSA This Week

Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).

Denial Of Service Gotenberg
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-23345 MEDIUM POC This Month

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Gotenberg
NVD GitHub
CVSS 3.1
5.3
EPSS
1.1%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).

Denial Of Service Gotenberg
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Gotenberg
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy