CVE-2026-35458

Name of the Vulnerable Software and Affected Versions Gotenberg versions 8.29.1 and earlier

Description Gotenberg uses the dlclark/regexp2 library to compile user-supplied scope patterns without a timeout. This allows users with access to features utilizing this logic to potentially hang workers indefinitely. Specifically, the /forms/chromium/screenshot/url API endpoint is vulnerable. Attackers can craft a malicious scope pattern within the extraHttpHeaders form field, using nested quantifiers that cause infinite backtracking (ReDoS), leading to a denial-of-service condition. The vulnerable code is located in gotenberg/pkg/modules/chromium/routes.go:200.

Recommendations Gotenberg versions prior to 8.29.1 should be updated.