Incomplete List of Disallowed Inputs

CVE-2026-42590

Low

0/10

Summary

The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: LOW

CWE-184 - Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

References

Advisory

Advisory Timeline

Published May 14, 2026

Incomplete List of Disallowed Inputs

CVE-2026-42590

Summary

CWE-184 - Incomplete List of Disallowed Inputs

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS