Tag

Exiftool

3 briefs RSS

Gotenberg ExifTool Metadata Write Blocklist Bypass Vulnerability

The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server.

Gotenberg exiftool metadata file-manipulation

2r 1t May 7, 2026

critical advisory

Gotenberg Unauthenticated RCE via ExifTool Metadata Key Injection

3 rules 1 TTP

Gotenberg version 8.29.1 is vulnerable to unauthenticated remote code execution (RCE) due to newline injection in metadata keys passed to ExifTool, allowing arbitrary command execution via the `-if` flag.

Gotenberg 8.29.1 gotenberg rce exiftool newline-injection cwe-78

3r 1t Jan 3, 2024

high advisory

exiftool-vendored Argument Injection Vulnerability

2 rules 1 TTP

exiftool-vendored is vulnerable to argument injection (CVE-2026-43893) via newline characters in tag names, potentially allowing attackers to read or write files accessible to the ExifTool process by injecting arguments through caller-supplied strings.

exiftool-vendored argument-injection exiftool cve-2026-43893

2r 1t Jan 3, 2024