CVE-2026-40260
MEDIUM
Improper Restriction of Recursive Entity References in DTDs (CWE-776)
GHSA-3crg-w4f6-42mx
6.9
CVSS 4.0
Share
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X
Lifecycle Timeline
4
CVSS changed
Apr 17, 2026 - 01:22 NVD
6.9 (MEDIUM)
Analysis Generated
Apr 10, 2026 - 21:45 vuln.today
Patch released
Apr 10, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 10, 2026 - 20:59 nvd
MEDIUM
Blast Radius
ecosystem impact
— you monitor
† from your stack dependencies
† transitive graph · vuln.today resolves 4-path depth
- 5 pypi packages depend on pypdf (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.10.0.
DescriptionNVD
Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.
Patches
This has been fixed in pypdf==6.10.0.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3724.
AnalysisAI
Memory exhaustion in pypdf library allows remote attackers to cause denial of service by crafting malicious PDF files with specially crafted XMP metadata that triggers excessive memory consumption during parsing. Affected versions prior to pypdf 6.10.0 are vulnerable; vendor-released patch is available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).