PyPI package
pypdf
pkg:pypi/pypdf
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24688 | — | < 6.6.2 | 6.6.2 | Jan 27, 2026 | pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6. | ||
| CVE-2026-22691 | — | < 6.6.0 | 6.6.0 | Jan 10, 2026 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding | ||
| CVE-2026-22690 | — | < 6.6.0 | 6.6.0 | Jan 10, 2026 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid f | ||
| CVE-2025-66019 | Med | — | < 6.4.0 | 6.4.0 | Nov 26, 2025 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter. This iss | |
| CVE-2025-62708 | — | < 6.1.3 | 6.1.3 | Oct 22, 2025 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf | ||
| CVE-2025-62707 | — | < 6.1.3 | 6.1.3 | Oct 22, 2025 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This | ||
| CVE-2025-55197 | — | < 6.0.0 | 6.0.0 | Aug 13, 2025 | pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content | ||
| CVE-2023-46250 | — | >= 3.7.0, < 3.17.0 | 3.17.0 | Oct 31, 2023 | pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. | ||
| CVE-2023-36464 | — | >= 3.1.0, < 3.9.0 | 3.9.0 | Jun 27, 2023 | pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull |
- CVE-2026-24688Jan 27, 2026affected < 6.6.2fixed 6.6.2
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.
- CVE-2026-22691Jan 10, 2026affected < 6.6.0fixed 6.6.0
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding
- CVE-2026-22690Jan 10, 2026affected < 6.6.0fixed 6.6.0
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid f
- affected < 6.4.0fixed 6.4.0
pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter. This iss
- CVE-2025-62708Oct 22, 2025affected < 6.1.3fixed 6.1.3
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf
- CVE-2025-62707Oct 22, 2025affected < 6.1.3fixed 6.1.3
pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This
- CVE-2025-55197Aug 13, 2025affected < 6.0.0fixed 6.0.0
pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content
- CVE-2023-46250Oct 31, 2023affected >= 3.7.0, < 3.17.0fixed 3.17.0
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions 3.7.0 through 3.16.4 can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%.
- CVE-2023-36464Jun 27, 2023affected >= 3.1.0, < 3.9.0fixed 3.9.0
pypdf is an open source, pure-python PDF library. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. That is, for example, the case if the user extracted text from such a PDF. This issue was introduced in pull
Page 2 of 2