thecodingmachine CVE Vulnerabilities & Metrics

Focus on thecodingmachine vulnerabilities and metrics.

Last updated: 16 Apr 2026, 22:25 UTC

About thecodingmachine Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with thecodingmachine. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total thecodingmachine CVEs: 9
Earliest CVE date: 07 Jan 2021, 22:15 UTC
Latest CVE date: 07 Apr 2026, 15:17 UTC

Latest CVE reference: CVE-2026-35458

Rolling Stats

30-day Count (Rolling): 2
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical thecodingmachine CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.64

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	4
7.0-8.9	3
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS thecodingmachine CVEs

These are the five CVEs with the highest CVSS scores for thecodingmachine, sorted by severity first and recency.

CVE-2020-13452 thecodingmachine Published on 07 Jan 2021, 22:15 UTC (CVSS: 7.5)
In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.
CVE-2020-13451 thecodingmachine Published on 07 Jan 2021, 22:15 UTC (CVSS: 7.5)
An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros.
CVE-2020-13450 thecodingmachine Published on 07 Jan 2021, 22:15 UTC (CVSS: 7.5)
A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any writable files outside the intended folder. This can lead to DoS, a change to program behavior, or code execution.
CVE-2020-14160 thecodingmachine Published on 26 Aug 2021, 11:15 UTC (CVSS: 5.0)
An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources.
CVE-2021-23345 thecodingmachine Published on 26 Feb 2021, 18:15 UTC (CVSS: 5.0)
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.

All CVEs for thecodingmachine

CVE-2026-35458 thecodingmachine vulnerability CVSS: 0 07 Apr 2026, 15:17 UTC

Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.

CVE-2026-27018 thecodingmachine vulnerability CVSS: 0 30 Mar 2026, 21:17 UTC

Gotenberg is an API for converting document formats. Prior to version 8.29.0, the fix introduced for CVE-2024-21527 can be bypassed using mixed-case or uppercase URL schemes. This issue has been patched in version 8.29.0.

CVE-2020-14161 thecodingmachine vulnerability CVSS: 4.3 26 Aug 2021, 11:15 UTC

It is possible to inject HTML and/or JavaScript in the HTML to PDF conversion in Gotenberg through 6.2.1 via the /convert/html endpoint.

CVE-2020-14160 thecodingmachine vulnerability CVSS: 5.0 26 Aug 2021, 11:15 UTC

An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources.

CVE-2021-23345 thecodingmachine vulnerability CVSS: 5.0 26 Feb 2021, 18:15 UTC

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.

CVE-2020-13452 thecodingmachine vulnerability CVSS: 7.5 07 Jan 2021, 22:15 UTC

In Gotenberg through 6.2.1, insecure permissions for tini (writable by user gotenberg) potentially allow an attacker to overwrite the file, which can lead to denial of service or code execution.

CVE-2020-13451 thecodingmachine vulnerability CVSS: 7.5 07 Jan 2021, 22:15 UTC

An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros.

CVE-2020-13450 thecodingmachine vulnerability CVSS: 7.5 07 Jan 2021, 22:15 UTC

A directory traversal vulnerability in file upload function of Gotenberg through 6.2.1 allows an attacker to upload and overwrite any writable files outside the intended folder. This can lead to DoS, a change to program behavior, or code execution.

CVE-2020-13449 thecodingmachine vulnerability CVSS: 5.0 07 Jan 2021, 22:15 UTC

A directory traversal vulnerability in the Markdown engine of Gotenberg through 6.2.1 allows an attacker to read any container files.