CVE-2026-40281: Gotenberg has ExifTool stdin argument injection via metadata value newlines (bypass of key sanitization fix)

April 30, 2026 (updated May 8, 2026)

The metadata write endpoint in v8.30.1 validates metadata keys for control characters (commit 405f106) but leaves metadata values unsanitized. go-exiftool’s WriteMetadata sends each key/value pair to ExifTool’s stdin as:

fmt.Fprintln(e.stdin, "-"+k+"="+str)

A \n character in str splits this into two separate stdin lines, injecting an arbitrary ExifTool pseudo-tag argument. The attacker controls what comes after the newline, enabling injection of -FileName, -Directory, -SymLink, -HardLink, and other dangerous pseudo-tags — the exact tags the key blocklist was designed to prevent.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-40281 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →