Resource exhaustion in Py-pdf Pypdf

CVE-2026-33123

pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with…

Vulnerability class: DoS (Denial of Service)

EPSS: 0.000 (2.7th percentile) — read the EPSS interpretation.

Affected products

Py-pdf Pypdf — versions < 6.9.1

Weakness classification (CWE)

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp (x_refsource_CONFIRM)
https://github.com/py-pdf/pypdf/pull/3686 (x_refsource_MISC)
https://github.com/py-pdf/pypdf/releases/tag/6.9.1 (x_refsource_MISC)