CVE-2026-40260

EUVD-2026-23327
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
XML Entity Expansion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
pypdf_projectpypdf
𝑥
< 6.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pypdf
bookworm
no-dsa
forky
vulnerable
sid
vulnerable
trixie
no-dsa
pypdf2
bookworm
no-dsa
bullseye
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pypdf
jammy
dne
noble
needs-triage
questing
needs-triage
resolute
needs-triage
pypdf2
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
dne
resolute
dne
xenial
ignored
Common Weakness Enumeration
References
https://github.com/py-pdf/pypdf/commit/b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8
https://github.com/py-pdf/pypdf/pull/3724
https://github.com/py-pdf/pypdf/releases/tag/6.10.0
https://github.com/py-pdf/pypdf/security/advisories/GHSA-3crg-w4f6-42mx