anonhaven
Ad

CVE-2026-28804

MEDIUM CVSS 4.0: 6.9 EPSS 0.05%
Updated Mar 06, 2026
Python
Parameter Value
CVSS 6.9 (MEDIUM)
Fixed In 6.7.5
Type CWE-407
Vendor Python
Public PoC No

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter.

This issue has been patched in version 6.7.5.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
Low
Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-407

References 4

https://github.com/py-pdf/pypdf/commit/648c627d2657447dfb1773412af05a0a5103b98f
security-advisories@github.com
https://github.com/py-pdf/pypdf/pull/3666
security-advisories@github.com
https://github.com/py-pdf/pypdf/releases/tag/6.7.5
security-advisories@github.com
https://github.com/py-pdf/pypdf/security/advisories/GHSA-9m86-7pmv-2852
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-40260

Python

6.9

CVE-2026-40947

Python

2.9

CVE-2026-40192

Python

8.7

CVE-2026-40683

Python

7.7

CVE-2026-5713

Python

5.3