CVE-2026-40260

EUVD-2026-23327
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
XML Entity Expansion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
pypdf
bookworm
no-dsa
forky
vulnerable
sid
vulnerable
trixie
no-dsa
pypdf2
bookworm
no-dsa
bullseye
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pypdf
jammy
dne
noble
needs-triage
questing
needs-triage
pypdf2
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/py-pdf/pypdf/commit/b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8
https://github.com/py-pdf/pypdf/pull/3724
https://github.com/py-pdf/pypdf/releases/tag/6.10.0
https://github.com/py-pdf/pypdf/security/advisories/GHSA-3crg-w4f6-42mx