cbcvebase.
CVE-2026-3666
published 2026-03-02

CVE-2026-3666: CVE-2026-28804 [MEDIUM] CWE-407 pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams pypdf vulnerable to inefficient decoding of ASCIIHexDecode…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.45%
35.7th percentile
CVE-2026-28804 [MEDIUM] CWE-407 pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams
pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams

### Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the `/ASCIIHexDecode` filter.

### Patches
This has been fixed in [pypdf==6.7.5](https://github.com/py-pdf/pypdf/releases/tag/6.7.5).

### Workarounds
If you cannot upgrade yet, consider applying the changes from PR [#3666](https://github.com/py-pdf/pypdf/pull/3666).

Affected

1 ranges
VendorProductVersion rangeFixed in
pypdf_projectpypdf>= 0 < 6.7.56.7.5
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.