PDF Library Vulnerability in pypdf Affects Open Source Projects
CVE-2026-28804

6.9MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
6 March 2026

What is CVE-2026-28804?

Prior to version 6.7.5, pypdf, a free and open-source pure-Python PDF library, is susceptible to a resource exhaustion vulnerability. An attacker can exploit this by crafting a malicious PDF file that leverages the /ASCIIHexDecode filter, potentially leading to prolonged processing times due to excessive resource consumption. This vulnerability can affect applications relying on pypdf for PDF manipulation and processing, as it may cause significant performance degradation. The issue has been addressed and resolved in version 6.7.5.

Affected Version(s)

pypdf < 6.7.5

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3666
x_refsource_MISC
https://github.com/py-pdf/pypdf/commit/648c627d2657447dfb...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.