PDF Library Vulnerability in pypdf Affects Open Source Projects
CVE-2026-27888

6.6MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
26 February 2026

What is CVE-2026-27888?

The open-source PDF library pypdf contains a vulnerability that allows attackers to craft malicious PDF files resulting in RAM exhaustion. This issue arises when accessing the xfa property of a document, specifically with streams compressed using /FlateDecode. It is crucial for users of pypdf to upgrade to version 6.7.3 or apply the provided manual patch to mitigate this risk and ensure the stability of their applications.

Affected Version(s)

pypdf < 6.7.3

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3658
x_refsource_MISC
https://github.com/py-pdf/pypdf/commit/7a4c8246ed48d9d328...
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.