CVE-2026-27888
HIGH
GHSA-x7hp-r3qg-r3cj
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.
Analysis
Denial of service in pypdf prior to version 6.7.3 allows remote attackers to exhaust system memory by crafting malicious PDF files that exploit FlateDecode-compressed streams accessed through the xfa property. The vulnerability requires no authentication or user interaction and affects any application processing untrusted PDF documents with the vulnerable library. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems and applications using pypdf library and document current versions. Within 7 days: Test and deploy pypdf version 6.7.3 or later in development and staging environments. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today