cbcvebase.
CVE-2026-48735
published 2026-05-28

CVE-2026-48735: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory…

PriorityP421medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.13%
3.0th percentile
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1.

Affected

14 ranges
VendorProductVersion rangeFixed in
ansible-automation-platform-25lightspeed-chatbot-rhel8
exploit-intelligence-tech-previewvulnerability-analysis-rhel9
openshift-lightspeed-tech-previewlightspeed-rag-tool-rhel9
openshift-lightspeedlightspeed-ocp-rag-rhel9
py-pdfpypdf< 6.12.16.12.1
pypdf_projectpypdf< 6.12.16.12.1
pypdf_projectpypdf>= 0 < 6.12.16.12.1
quayquay-rhel8
quayquay-rhel9
rhelai3bootc-cuda-rhel9
rhelai3bootc-gaudi-rhel9
rhelai3bootc-rocm-rhel9
rhelai3disk-image-cuda-rhel9
rhoaiodh-llama-stack-core-rhel9

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.