In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThecodingmachine Gotenberg
APPThecodingmachine≤ 6.2.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDoS
CWE
Related vulnerabilities
CVE-2026-42589CRITICAL9.8PL ✓ten sam produkt
Gotenberg: command injection w endpoincie zapisu metadanych PDF via ExifTool
CVE-2026-42596CRITICAL9.4PL ✓ten sam produkt
SSRF w Gotenberg — ominięcie deny-list przez IPv6-mapped adresy
CVE-2026-40281CRITICAL10.0PL ✓ten sam produkt
Gotenberg: injection w wartościach metadanych — zapis plików i symlinki
CVE-2020-13451CRITICAL9.8ten sam produkt
An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attack...
CVE-2020-13450CRITICAL9.8ten sam produkt
A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to u...