Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-w5ww-yurt-6ycw
SummaryGotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated attacker can point Chromium at any internal IP — including loopback, RFC 1918 ranges, and cloud metadata endpoints — and receive the response rendered as a PDF. Additionally, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects. Gotenberg's Chromium instance follows 302 redirects from an attacker-controlled external URL to internal targets without re-validating the redirect destination against the deny-list. This vulnerability is fixed in 8.32.0.
Aliases
0
alias CVE-2026-42595
1
alias GHSA-chwh-f6gm-r836
Fixed_packages
0
url pkg:golang/github.com/gotenberg/gotenberg/v8@8.32.0
purl pkg:golang/github.com/gotenberg/gotenberg/v8@8.32.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/gotenberg/gotenberg/v8@8.32.0
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42595
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.20249
published_at 2026-06-12T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.20246
published_at 2026-06-14T12:55:00Z
2
value 0.00064
scoring_system epss
scoring_elements 0.20075
published_at 2026-06-11T12:55:00Z
3
value 0.00064
scoring_system epss
scoring_elements 0.2027
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42595
1
reference_url https://github.com/gotenberg/gotenberg
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/gotenberg/gotenberg
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42595
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42595
3
reference_url https://github.com/gotenberg/gotenberg/security/advisories/GHSA-chwh-f6gm-r836
reference_id GHSA-chwh-f6gm-r836
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:50:56Z/
url https://github.com/gotenberg/gotenberg/security/advisories/GHSA-chwh-f6gm-r836
Weaknesses
0
cwe_id 918
name Server-Side Request Forgery (SSRF)
description The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Exploits
Severity_range_score7.0 - 8.9
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-w5ww-yurt-6ycw