Description
Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system.

Workaround
An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.
Published: 2024-07-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2024-19196 Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system. Workaround An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.
History

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
CPEs cpe:2.3:a:gotenberg:gotenberg:*:*:*:*:*:*:*:*
Vendors & Products Gotenberg
Gotenberg gotenberg
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 16:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-07-02T15:25:06.446Z

Reserved: 2023-12-22T12:33:20.122Z

Link: CVE-2024-21527

cve-icon Vulnrichment

Updated: 2024-08-01T22:27:34.824Z

cve-icon NVD

Status : Deferred

Published: 2024-07-19T05:15:10.053

Modified: 2026-06-17T07:09:40.893

Link: CVE-2024-21527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses