{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27018", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T03:08:23.490Z", "datePublished": "2026-03-30T20:14:32.860Z", "dateUpdated": "2026-03-31T14:16:20.913Z"}, "containers": {"cna": {"title": "Gotenberg: Chromium deny-list bypass via case-insensitive URL scheme", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r"}, {"name": "https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a11", "tags": ["x_refsource_MISC"], "url": "https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a11"}, {"name": "https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff5", "tags": ["x_refsource_MISC"], "url": "https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff5"}, {"name": "https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0"}], "affected": [{"vendor": "gotenberg", "product": "gotenberg", "versions": [{"version": "< 8.29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T20:14:32.860Z"}, "descriptions": [{"lang": "en", "value": "Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0."}], "source": {"advisory": "GHSA-jjwv-57xh-xr6r", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:16:17.015824Z", "id": "CVE-2026-27018", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:16:20.913Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Gotenberg: Chromium deny-list bypass via case-insensitive URL scheme", "source": {"advisory": "GHSA-jjwv-57xh-xr6r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gotenberg", "product": "gotenberg", "versions": [{"status": "affected", "version": "< 8.29.0"}]}], "references": [{"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r", "name": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a11", "name": "https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a11", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff5", "name": "https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0", "name": "https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T20:14:32.860Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27018", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:16:17.015824Z"}}}], "references": [{"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-31T14:16:11.237Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-27018", "state": "PUBLISHED", "dateUpdated": "2026-03-30T20:14:32.860Z", "dateReserved": "2026-02-17T03:08:23.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T20:14:32.860Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EDB2893-B553-47ED-AC5A-4C26628D358E", "versionEndExcluding": "8.29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0."}, {"lang": "es", "value": "Gotenberg es una API para convertir formatos de documentos. Antes de la versi\u00f3n 8.29.0, la correcci\u00f3n introducida para CVE-2024-21527 puede ser eludida utilizando esquemas de URL en may\u00fasculas y min\u00fasculas o en may\u00fasculas. Este problema ha sido parcheado en la versi\u00f3n 8.29.0."}], "id": "CVE-2026-27018", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T21:17:08.383", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a11"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff5"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.29.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "gotenberg", "source": "cna", "vendor": "gotenberg"}, "product": "gotenberg", "vendor": "gotenberg"}], "analysis": {"en": {"generated_at": "2026-04-08T18:21:54.925704+00:00", "value": {"mitigation_remediation": ["Upgrade Gotenberg to version 8.29.0 or later to remove the case\u2011sensitivity bypass.", "If an upgrade is not immediately possible, isolate the Gotenberg service behind a network perimeter that denies outbound traffic to untrusted hosts.", "Ensure that the deny\u2011list enforcement is verified by attempting to access mixed\u2011case or uppercase schemes after applying the patch."], "summary": {"action": "Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "All installations of Gotenberg from the Coding Machine prior to release 8.29.0 are vulnerable. The fix is included in version 8.29.0 and newer. Users running earlier versions should consider upgrade or temporary controls.", "description_and_impact": "The vulnerability results from a case\u2011insensitive handling of URL schemes in Gotenberg\u2019s Chromium component. An attacker can supply mixed\u2011case or all\u2011uppercase schemes that bypass the previously implemented deny\u2011list, enabling the service to retrieve and process arbitrary external URLs. This flaw allows the service to make unintended outbound network requests, potentially exposing internal resources or loading malicious content that could be used for further attacks. The weakness is identified as a path traversal (CWE\u201122) and a server\u2011side request forgery (CWE\u2011918).", "risk_and_exploitability": "The CVSS score of 7.8 classifies the issue as High, and the EPSS score of less than 1\u202f% indicates a low current exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted URLs to a publicly accessible Gotenberg endpoint; no special privileges are required. While the flaw does not directly lead to code execution, the forced outbound request can be used to access internal services, perform data exfiltration, or facilitate additional attacks."}}}}, "created": "2026-03-31T19:59:59.200552+00:00", "updated": "2026-04-08T20:00:31.847925+00:00", "vendors": ["gotenberg", "gotenberg$PRODUCT$gotenberg"]}