CVE-2026-42596

Daily digests

Gotenberg's downloadFrom and webhook features have a server-side request forgery (SSRF) bug that bypasses the default deny-list. An unauthenticated attacker can make your Gotenberg instance fetch internal URLs, potentially reaching cloud metadata endpoints, internal APIs, or other services behind your firewall. CVSS 9.4, so treat this seriously.

• Daily Digest · May 7, 2026

  Gotenberg SSRF at CVSS 9.4, Apache RCE close behind