Resource exhaustion in Py-pdf Pypdf

CVE-2026-27888

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and t…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (17.4th percentile) — read the EPSS interpretation.

Affected products

Py-pdf Pypdf — versions < 6.7.3

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-x7hp-r3qg-r3cj (x_refsource_CONFIRM)
https://github.com/py-pdf/pypdf/pull/3658 (x_refsource_MISC)
https://github.com/py-pdf/pypdf/commit/7a4c8246ed48d9d328fb596942271da47b6d109c (x_refsource_MISC)
https://github.com/py-pdf/pypdf/releases/tag/6.7.3 (x_refsource_MISC)