{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-44829/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["gotenberg/gotenberg"],"_cs_severities":["high"],"_cs_tags":["path-traversal","zip-archive","cve-2026-44829"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA path traversal vulnerability exists in Gotenberg versions up to 8.32.0. The vulnerability stems from the \u003ccode\u003efilepath.Base\u003c/code\u003e function on the Linux container not stripping backslashes (\u003ccode\u003e\\\u003c/code\u003e) from filenames, as it\u0026rsquo;s only a path separator on Windows. By crafting a multipart filename like \u003ccode\u003e..\\..\\..\\..\\Windows\\System32\\evil.pdf\u003c/code\u003e, an attacker can bypass Gotenberg\u0026rsquo;s input sanitization. This filename is then used verbatim as the zip entry name when a multi-output route (e.g., \u003ccode\u003e/forms/pdfengines/split\u003c/code\u003e) returns its result as a zip. Windows zip extractors interpret backslashes as path separators, leading to files being written outside the intended extraction directory. This issue is tracked as CVE-2026-44829.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PDF file with embedded payload, such as shell script.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to a Gotenberg multi-output route (e.g., \u003ccode\u003e/forms/pdfengines/split\u003c/code\u003e) with a multipart filename containing Windows-style path separators (backslashes), such as \u003ccode\u003e..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\evil.pdf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGotenberg\u0026rsquo;s \u003ccode\u003efilepath.Base\u003c/code\u003e function fails to properly sanitize the filename due to the use of backslashes, which are not recognized as path separators on Linux.\u003c/li\u003e\n\u003cli\u003eThe unsanitized filename is then passed to \u003ccode\u003ectx.diskToOriginal\u003c/code\u003e and subsequently used by \u003ccode\u003eSplitPdfStub\u003c/code\u003e to construct the zip entry name.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003earchives.FilesFromDisk\u003c/code\u003e and \u003ccode\u003earchives.Zip{}.Archive\u003c/code\u003e functions are used to create a zip archive containing the malicious filename.\u003c/li\u003e\n\u003cli\u003eA Windows-based client extracts the generated zip archive, interpreting the backslashes as path separators.\u003c/li\u003e\n\u003cli\u003eThe malicious PDF file is written to an arbitrary location outside the intended extraction directory, such as \u003ccode\u003eC:\\Windows\\System32\\evil.pdf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary file write capabilities on the target system, leading to potential code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44829) allows attackers to write arbitrary files on a Windows system that extracts the ZIP archive created by Gotenberg. This can lead to arbitrary code execution if the attacker can overwrite critical system files or place executable files in startup directories. The vulnerability affects all multi-output Gotenberg routes, including \u003ccode\u003e/forms/pdfengines/split\u003c/code\u003e, \u003ccode\u003e/forms/pdfengines/flatten\u003c/code\u003e, \u003ccode\u003e/forms/pdfengines/convert\u003c/code\u003e, and others, expanding the attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested patch provided in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-hwc4-gmrw-5222\"\u003ehttps://github.com/advisories/GHSA-hwc4-gmrw-5222\u003c/a\u003e) to sanitize filenames and prevent path traversal attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect exploitation attempts targeting CVE-2026-44829 by monitoring HTTP requests to Gotenberg endpoints with suspicious filenames.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to Gotenberg endpoints (e.g., \u003ccode\u003e/forms/pdfengines/split\u003c/code\u003e) containing filenames with Windows-style path separators (backslashes) to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T16:38:50Z","date_published":"2026-05-29T16:38:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-gotenberg-path-traversal/","summary":"Gotenberg is vulnerable to path traversal (CVE-2026-44829) due to improper sanitization of filenames in zip archives, allowing attackers to write files outside the intended extraction directory by using Windows-style path separators (backslashes) in uploaded filenames, affecting versions up to 8.32.0.","title":"Gotenberg Path Traversal Vulnerability via Windows-Style Separators in Zip Entry Name (CVE-2026-44829)","url":"https://feed.craftedsignal.io/briefs/2026-05-gotenberg-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-44829","version":"https://jsonfeed.org/version/1.1"}