Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»Alerts»CVE-2026-40280 | THREATINT
    Alerts

    CVE-2026-40280 | THREATINT

    adminBy adminMay 5, 2026No Comments1 Min Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Home

    Description

    Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the –webhook-deny-list and –api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go’s net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. This bypasses the same security control that was patched in CVE-2026-27018. This issue has been fixed in version 8.31.0.

    PUBLISHED Reserved 2026-04-10 | Published 2026-05-05 | Updated 2026-05-05 | Assigner GitHub_M

    HIGH: 7.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

    Problem types

    CWE-918: Server-Side Request Forgery (SSRF)

    Product status

    <= 8.30.1
    affected

    References

    github.com/…enberg/security/advisories/GHSA-5q7p-7jgv-ww56

    github.com/…ommit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47

    github.com/advisories/GHSA-jjwv-57xh-xr6r

    cve.org (CVE-2026-40280)

    nvd.nist.gov (CVE-2026-40280)

    Download JSON



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleRedis security advisory (AV26-423) – Canadian Centre for Cyber Security
    Next Article DAEMON Tools trojanized in supply-chain attack to deploy backdoor
    admin
    • Website

    Related Posts

    Alerts

    CISA Adds One Known Exploited Vulnerability to Catalog

    June 12, 2026
    Alerts

    FreePBX security advisory (AV26–596) – Canadian Centre for Cyber Security

    June 12, 2026
    Alerts

    SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1

    June 12, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    IP Address Investigations and Local OSINT

    March 20, 202633 Views

    Defending Canada’s Digital Frontier: Combating Phishing, Social Engineering, Ransomware, and Malware

    March 23, 202632 Views
    Our Picks

    Anthropic to restore Claude Fable access on Wednesday

    June 30, 2026

    I Have Thoughts About That Kylie Jenner Meta Glasses Ad

    June 30, 2026

    New BioShocking attack manipulates AI browser into data theft

    June 30, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.