CVE-2026-42590

High

Published: 14 May 2026

Published

14 May 2026

Modified

14 May 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

EPSS Score N/A

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42590 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-8 Spam Protection

addresses: CWE-184

Spam filters rely on evolving blacklists, signatures, and heuristics of disallowed message patterns; keeping them updated per the control directly mitigates incomplete disallowed-input lists.

NVD Description

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports…

group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix. This vulnerability is fixed in 8.30.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-184

References

https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855
security-advisories@github.com