CVE-2026-35458
CRITICALGotenberg <=8.29.1 extraHttpHeaders Scope - Regular Expression Denial of Service
Title source: manualDescription
Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992
Scores
CVSS v3
9.8
EPSS
0.0050
EPSS Percentile
38.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1333
Status
published
Products (3)
gotenberg/gotenberg
0 - 8.30.0Go
gotenberg/gotenberg
<= 8.29.1
thecodingmachine/gotenberg
< 8.29.1
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026