Skip to main content

pypdf CVE-2026-49461

| EUVDEUVD-2026-38356 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-16 https://github.com/py-pdf/pypdf GHSA-j543-4vmf-qm7v
6.9
CVSS 4.0 · Vendor: https://github.com/py-pdf/pypdf
Share

Severity by source

Vendor (https://github.com/py-pdf/pypdf) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-delivered PDF triggers memory exhaustion with no authentication or user interaction required; only availability is impacted.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/py-pdf/pypdf).

CVSS VectorVendor: https://github.com/py-pdf/pypdf

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 21:39 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 14:21 vuln.today
Analysis Generated
Jun 16, 2026 - 14:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 pypi packages depend on pypdf (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.12.2.

DescriptionCVE.org

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references.

Patches

This has been fixed in pypdf==6.12.2.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #3805.

AnalysisAI

Uncontrolled resource consumption in pypdf versions before 6.12.2 allows any attacker who can cause an application to call extract_text() on a crafted PDF to trigger unbounded memory growth, resulting in denial of service. The vulnerability arises specifically during form XObject traversal: a PDF containing a self-referencing XObject resource dictionary causes the extraction code to recurse infinitely without cycle detection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft PDF with self-referencing form XObject
Delivery
Deliver PDF to application accepting untrusted uploads
Exploit
Application calls extract_text() on the affected page
Execution
Recursive XObject resolution enters infinite loop
Persist
Heap memory exhausted
Impact
Application process crashes or is OOM-killed

Vulnerability AssessmentAI

Exploitation Exploitation requires that the vulnerable application calls `extract_text()` (or internally calls `extract_xform_text()`) on a page from an attacker-supplied PDF, and that the PDF contains a form XObject with a self-referential or cyclic entry in its `/Resources /XObject` dictionary. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided in the source data, so risk metrics are independently assessed rather than sourced from NVD or vendor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a crafted PDF to a document processing web application that uses pypdf to index page text. The PDF contains a form XObject whose `/Resources /XObject` dictionary includes a self-reference, causing `page.extract_text()` to recurse without bound. …
Remediation Upgrade to pypdf 6.12.2 or later, released at https://github.com/py-pdf/pypdf/releases/tag/6.12.2 - this is the definitive fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-49461 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy