Skip to main content

pypdf CVE-2026-49460

| EUVDEUVD-2026-38357 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-06-16 https://github.com/py-pdf/pypdf GHSA-5hgr-hg42-57jg
5.1
CVSS 4.0 · Vendor: https://github.com/py-pdf/pypdf
Share

Severity by source

Vendor (https://github.com/py-pdf/pypdf) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-delivered PDF requires application or user to process it (UI:R); no privileges needed; impact is availability only with no scope change.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/py-pdf/pypdf).

CVSS VectorVendor: https://github.com/py-pdf/pypdf

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 14:20 vuln.today
Analysis Generated
Jun 16, 2026 - 14:20 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on pypdf (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.12.2.

DescriptionCVE.org

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor.

Patches

This has been fixed in pypdf==6.12.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3806.

AnalysisAI

Denial-of-service in the pypdf Python library allows an attacker to cause excessive CPU consumption by supplying a crafted PDF containing a FlateDecode stream with a PNG predictor filter. Any application using pypdf to parse untrusted PDFs is affected on versions prior to 6.12.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft PDF with oversized FlateDecode PNG predictor stream
Delivery
Deliver PDF to pypdf-based application via upload or file path
Exploit
Application invokes FlateDecode decoder on the stream
Execution
_decode_png_prediction iterates millions of rows using slow Python list operations
Impact
CPU exhaustion causes application thread to hang or time out

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses pypdf (versions < 6.12.2) to open or process a PDF file supplied by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided by NVD; the score is assessed independently below. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a PDF to a web application that uses pypdf for document parsing. The PDF contains a single stream object with the /FlateDecode filter and a PNG predictor encoding a synthetic image with 120,000 rows and a very wide column count. …
Remediation Upgrade to pypdf==6.12.2 immediately; this is the vendor-released patch that resolves the inefficiency by replacing Python list/tuple row accumulation with bytearray/bytes operations in _decode_png_prediction. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-49460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy