Pypdf Project Pypdf vulnerabilities
34 known vulnerabilities affecting pypdf_project/pypdf.
Total CVEs
34
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM26LOW2
Vulnerabilities
Page 2 of 2
CVE-2026-54531P4MEDIUMCVSS 5.5fixed in 6.13.02026-06-22
CVE-2026-54531 [MEDIUM] CWE-835 CVE-2026-54531: pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this
pypdf is a free and open-source pure-python PDF library. Prior to 6.13.0, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer. This vulnerability is fixed in 6.13.0.
ghsanvd
CVE-2026-49461P4MEDIUMCVSS 5.5fixed in 6.12.22026-06-22
CVE-2026-49461 [MEDIUM] CWE-400 CVE-2026-49461: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. This vulnerability is fixed in 6.12.2.
ghsanvd
CVE-2026-54651P4MEDIUMCVSS 5.5fixed in 6.13.12026-06-22
CVE-2026-54651 [MEDIUM] CWE-835 CVE-2026-54651: pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this
pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. This vulnerability is fixed in 6.13.1.
nvd
CVE-2026-27024P4MEDIUMCVSS 5.5fixed in 6.7.12026-02-20
CVE-2026-27024 [MEDIUM] CWE-835 CVE-2026-27024: pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this v
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1.
ghsanvdosv
CVE-2026-27026P4MEDIUMCVSS 5.5fixed in 6.7.12026-02-20
CVE-2026-27026 [MEDIUM] CWE-770 CVE-2026-27026: pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this v
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.
ghsanvdosv
CVE-2026-27025P4MEDIUMCVSS 5.5fixed in 6.7.12026-02-20
CVE-2026-27025 [MEDIUM] CWE-834 CVE-2026-27025: pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this v
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. This vulnerability is fixed in 6.7.1.
ghsanvdosv
CVE-2023-36464P4MEDIUMCVSS 5.5fixed in 3.9.02023-06-27
CVE-2023-36464 [MEDIUM] CWE-835 CVE-2023-36464: pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF w
pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull request #969 and resolved in pull request #1828. Users are advised to
ghsanvdosv
CVE-2023-46250P4MEDIUMCVSS 5.5≥ 3.7.0, < 3.17.02023-10-31
CVE-2023-46250 [MEDIUM] CWE-835 CVE-2023-46250: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability presen
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when th
ghsanvdosv
CVE-2026-31826P4MEDIUMCVSS 5.5fixed in 6.8.02026-03-10
CVE-2026-31826 [MEDIUM] CWE-770 CVE-2026-31826: pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this v
pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0.
ghsanvdosv
CVE-2026-48735P4MEDIUMCVSS 5.5fixed in 6.12.12026-05-28
CVE-2026-48735 [MEDIUM] CWE-770 CVE-2026-48735: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1.
ghsanvd
CVE-2026-48155P4MEDIUMCVSS 5.5fixed in 6.12.02026-05-28
CVE-2026-48155 [MEDIUM] CWE-400 CVE-2026-48155: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0.
ghsanvd
CVE-2026-24688P4MEDIUMCVSS 4.3fixed in 6.6.22026-01-27
CVE-2026-24688 [MEDIUM] CWE-835 CVE-2026-24688: pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulne
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from
ghsanvdosv
CVE-2026-49460P4LOWCVSS 3.3fixed in 6.12.22026-06-22
CVE-2026-49460 [LOW] CWE-407 CVE-2026-49460: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.2, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor. This vulnerability is fixed in 6.12.2.
ghsanvd
CVE-2026-48156P4LOWCVSS 3.3fixed in 6.12.02026-05-28
CVE-2026-48156 [LOW] CWE-834 CVE-2026-48156: pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.
ghsanvd
← Previous2 / 2