Skip to main content

Pypdf

22 CVEs product

Monthly

CVE-2026-59936 HIGH PATCH This Week

Denial of service in the pypdf Python PDF library (all versions prior to 6.14.1) allows a remote attacker to hang a consuming application by supplying a malicious PDF. A page content stream containing an unterminated inline image drives the inline-image end-marker detection logic into an infinite loop, most notably triggered during page text extraction. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects an unauthenticated, low-complexity availability attack, and a fixed release (6.14.1) is available.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59935 HIGH PATCH This Week

Denial of service in pypdf before 6.14.2 lets a remote attacker hang any application that parses an attacker-supplied PDF: a page content stream carrying an unterminated inline image with an ASCII85 or ASCIIHex filter drives the parser into an infinite loop (CWE-835), most notably during page text extraction. The pure-Python library is very widely used in document-processing and data-ingestion pipelines, so a single malicious file can pin a CPU core and stall the worker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the root cause is well-described and trivially reproducible.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59937 MEDIUM PATCH This Month

Uncontrolled resource consumption in pypdf prior to 6.14.0 allows unauthenticated remote attackers to cause denial of service by submitting a crafted PDF containing repeated malformed cross-reference streams. The library's XRef table recovery routine performs unbounded work on such inputs, leading to excessive CPU time consumption and effectively hanging or severely degrading any application that processes attacker-supplied PDFs. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59938 MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-57204 PyPI MEDIUM PATCH This Month

Memory exhaustion in pypdf prior to 6.13.3 allows unauthenticated remote attackers to cause denial of service by supplying a maliciously crafted PDF. The MAX_DECLARED_STREAM_LENGTH safety cap - designed to bound memory allocation during stream parsing - is bypassed when a PDF content stream omits the /Length value, enabling unbounded memory growth. No active exploitation is confirmed (not in CISA KEV), but the attack surface encompasses any Python application that parses attacker-supplied PDFs, a common pattern in document pipelines and web upload handlers.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-54651 PyPI MEDIUM POC PATCH GHSA This Month

Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.

Denial Of Service Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-31826 PyPI MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. versions up to 6.8.0 is affected by allocation of resources without limits or throttling.

Python Denial Of Service Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-28804 PyPI MEDIUM PATCH This Month

pypdf versions prior to 6.7.5 are vulnerable to denial-of-service attacks where specially crafted PDF files with ASCIIHexDecode filtered streams can cause excessive processing time and application hang. An unauthenticated attacker can exploit this by providing a malicious PDF that consumes significant computational resources when processed. A patch is available in version 6.7.5 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28351 PyPI MEDIUM PATCH This Month

Crafted PDF files can trigger excessive memory consumption in pypdf versions before 6.7.4 when processing content streams with the RunLengthDecode filter, enabling denial-of-service attacks against applications using the library. An unauthenticated attacker can exploit this remotely by submitting a malicious PDF, causing the affected application to exhaust system memory. A patch is available in pypdf 6.7.4 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-27888 PyPI HIGH PATCH This Week

Denial of service in pypdf prior to version 6.7.3 allows remote attackers to exhaust system memory by crafting malicious PDF files that exploit FlateDecode-compressed streams accessed through the xfa property. The vulnerability requires no authentication or user interaction and affects any application processing untrusted PDF documents with the vulnerable library. Upgrade to pypdf 6.7.3 or later to remediate.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27628 PyPI HIGH PATCH This Week

Pypdf versions up to 6.7.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27026 PyPI MEDIUM PATCH This Month

Pypdf versions up to 6.7.1 is affected by allocation of resources without limits or throttling (CVSS 5.5).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27025 PyPI MEDIUM PATCH This Month

Resource exhaustion in pypdf versions prior to 6.7.1 occurs when processing maliciously crafted PDF files with manipulated /ToUnicode font entries, causing excessive memory consumption and processing delays during text extraction operations. A local attacker with file access can exploit this to degrade system performance, though no code execution or data compromise is possible. The vulnerability affects Python environments using pypdf and is remedied by upgrading to version 6.7.1 or later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-27024 PyPI MEDIUM PATCH This Month

Pypdf versions up to 6.7.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24688 PyPI MEDIUM PATCH This Month

Pypdf versions up to 6.6.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 4.3).

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-22691 PyPI MEDIUM PATCH This Month

pypdf versions prior to 6.6.0 are vulnerable to denial of service through CPU exhaustion when processing malformed PDF files with crafted startxref entries in non-strict reading mode. An attacker can create a specially crafted PDF containing excessive whitespace that causes the library to consume significant processing resources during cross-reference table reconstruction. A patch is available in version 6.6.0 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22690 PyPI MEDIUM PATCH This Month

Denial of service via resource exhaustion in pypdf prior to version 6.6.0 allows remote attackers to trigger excessive processing times by submitting specially crafted PDF files with missing /Root objects and inflated /Size values. The vulnerability only affects non-strict parsing mode and causes the library to consume significant CPU resources when processing otherwise invalid documents. A patch is available in version 6.6.0 and later.

Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-55197 PyPI MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Pypdf Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.1%
CVE-2023-46250 PyPI MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-36810 PyPI MEDIUM POC PATCH This Month

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Pypdf
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-36807 PyPI MEDIUM POC PATCH This Month

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-36464 PyPI MEDIUM POC PATCH This Month

pypdf is an open source, pure-python PDF library. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Pypdf Pypdf2
NVD GitHub
CVSS 3.1
5.5
EPSS
0.4%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in the pypdf Python PDF library (all versions prior to 6.14.1) allows a remote attacker to hang a consuming application by supplying a malicious PDF. A page content stream containing an unterminated inline image drives the inline-image end-marker detection logic into an infinite loop, most notably triggered during page text extraction. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects an unauthenticated, low-complexity availability attack, and a fixed release (6.14.1) is available.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in pypdf before 6.14.2 lets a remote attacker hang any application that parses an attacker-supplied PDF: a page content stream carrying an unterminated inline image with an ASCII85 or ASCIIHex filter drives the parser into an infinite loop (CWE-835), most notably during page text extraction. The pure-Python library is very widely used in document-processing and data-ingestion pipelines, so a single malicious file can pin a CPU core and stall the worker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the root cause is well-described and trivially reproducible.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Uncontrolled resource consumption in pypdf prior to 6.14.0 allows unauthenticated remote attackers to cause denial of service by submitting a crafted PDF containing repeated malformed cross-reference streams. The library's XRef table recovery routine performs unbounded work on such inputs, leading to excessive CPU time consumption and effectively hanging or severely degrading any application that processes attacker-supplied PDFs. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Memory exhaustion in pypdf prior to 6.13.3 allows unauthenticated remote attackers to cause denial of service by supplying a maliciously crafted PDF. The MAX_DECLARED_STREAM_LENGTH safety cap - designed to bound memory allocation during stream parsing - is bypassed when a PDF content stream omits the /Length value, enabling unbounded memory growth. No active exploitation is confirmed (not in CISA KEV), but the attack surface encompasses any Python application that parses attacker-supplied PDFs, a common pattern in document pipelines and web upload handlers.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.

Denial Of Service Python Pypdf +2
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. versions up to 6.8.0 is affected by allocation of resources without limits or throttling.

Python Denial Of Service Pypdf +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

pypdf versions prior to 6.7.5 are vulnerable to denial-of-service attacks where specially crafted PDF files with ASCIIHexDecode filtered streams can cause excessive processing time and application hang. An unauthenticated attacker can exploit this by providing a malicious PDF that consumes significant computational resources when processed. A patch is available in version 6.7.5 and later.

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Crafted PDF files can trigger excessive memory consumption in pypdf versions before 6.7.4 when processing content streams with the RunLengthDecode filter, enabling denial-of-service attacks against applications using the library. An unauthenticated attacker can exploit this remotely by submitting a malicious PDF, causing the affected application to exhaust system memory. A patch is available in pypdf 6.7.4 and later.

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in pypdf prior to version 6.7.3 allows remote attackers to exhaust system memory by crafting malicious PDF files that exploit FlateDecode-compressed streams accessed through the xfa property. The vulnerability requires no authentication or user interaction and affects any application processing untrusted PDF documents with the vulnerable library. Upgrade to pypdf 6.7.3 or later to remediate.

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Pypdf versions up to 6.7.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Pypdf versions up to 6.7.1 is affected by allocation of resources without limits or throttling (CVSS 5.5).

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Resource exhaustion in pypdf versions prior to 6.7.1 occurs when processing maliciously crafted PDF files with manipulated /ToUnicode font entries, causing excessive memory consumption and processing delays during text extraction operations. A local attacker with file access can exploit this to degrade system performance, though no code execution or data compromise is possible. The vulnerability affects Python environments using pypdf and is remedied by upgrading to version 6.7.1 or later.

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Pypdf versions up to 6.7.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Pypdf versions up to 6.6.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 4.3).

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

pypdf versions prior to 6.6.0 are vulnerable to denial of service through CPU exhaustion when processing malformed PDF files with crafted startxref entries in non-strict reading mode. An attacker can create a specially crafted PDF containing excessive whitespace that causes the library to consume significant processing resources during cross-reference table reconstruction. A patch is available in version 6.6.0 and later.

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service via resource exhaustion in pypdf prior to version 6.6.0 allows remote attackers to trigger excessive processing times by submitting specially crafted PDF files with missing /Root objects and inflated /Size values. The vulnerability only affects non-strict parsing mode and causes the library to consume significant CPU resources when processing otherwise invalid documents. A patch is available in version 6.6.0 and later.

Python Pypdf Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Python Pypdf +2
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Pypdf
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

pypdf is a pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

pypdf is an open source, pure-python PDF library. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Pypdf +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy