Vulnerability in Py-pdf Pypdf

CVE-2026-28804

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter…

EPSS: 0.000 (4.2th percentile) — read the EPSS interpretation.

Affected products

Py-pdf Pypdf — versions < 6.7.5

Weakness classification (CWE)

CWE-407 — Inefficient Algorithmic Complexity

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-9m86-7pmv-2852 (x_refsource_CONFIRM)
https://github.com/py-pdf/pypdf/pull/3666 (x_refsource_MISC)
https://github.com/py-pdf/pypdf/commit/648c627d2657447dfb1773412af05a0a5103b98f (x_refsource_MISC)
https://github.com/py-pdf/pypdf/releases/tag/6.7.5 (x_refsource_MISC)