CVE-2026-44829: Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename

May 29, 2026

filepath.Base on the Linux container does not strip backslashes (\), because \ is only a path separator on Windows. A multipart filename like ..\..\..\..\Windows\System32\evil.pdf survives Gotenberg’s input sanitisation and lands verbatim as the zip entry name when a multi-output route returns its result as a zip (e.g. /forms/pdfengines/split). Windows zip extractors interpret \ as a path separator and write the file outside the extraction directory.

References

github.com/advisories/GHSA-hwc4-gmrw-5222
github.com/gotenberg/gotenberg/releases/tag/v8.33.0
github.com/gotenberg/gotenberg/security/advisories/GHSA-hwc4-gmrw-5222
nvd.nist.gov/vuln/detail/CVE-2026-44829

Code Behaviors & Features

Detect and mitigate CVE-2026-44829 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →