Denial of Service Vulnerability in pypdf by PyPDF Org
CVE-2026-49460

5.1MEDIUM

Key Information:

Vendor

Py-PDF

Status
PyPDF
Vendor
CVE Published:
22 June 2026

What is CVE-2026-49460?

The pypdf library, a widely used pure-Python PDF processing tool, is susceptible to a Denial of Service attack via manipulated PDF files. Attackers can exploit this vulnerability by crafting PDFs that utilize the /FlateDecode filter in conjunction with a PNG predictor, resulting in significantly prolonged runtimes. This issue has been rectified in version 6.12.2. Users are advised to upgrade to the latest version to mitigate any potential risks.

Affected Version(s)

pypdf < 6.12.2

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/py-pdf/pypdf/pull/3806
x_refsource_MISC
https://github.com/py-pdf/pypdf/releases/tag/6.12.2
x_refsource_MISC

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.