Denial of Service Vulnerability in pypdf Library by py-pdf
CVE-2026-33123

5.1MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
20 March 2026

What is CVE-2026-33123?

The pypdf library, a widely used open-source Python library for PDF manipulation, has a vulnerability that allows an attacker to craft a specially designed PDF file. This can lead to long runtimes and excessive memory usage, destabilizing applications using the library. Exploiting this vulnerability requires the malicious PDF to be processed, targeting an array-based stream with multiple entries. The issue has been addressed in version 6.9.1, which users are encouraged to upgrade to mitigate potential risks.

Affected Version(s)

pypdf < 6.9.1

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3686
x_refsource_MISC
https://github.com/py-pdf/pypdf/releases/tag/6.9.1
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.