CVE-2026-40260
MEDIUMpypdf: Manipulated XMP metadata entity declarations can exhaust RAM
Title source: cnaDescription
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/py-pdf/pypdf/security/advisories/GHSA-3crg-w4f6-42mx
X_Refsource_Misc x_refsource_misc
https://github.com/py-pdf/pypdf/pull/3724
X_Refsource_Misc x_refsource_misc
https://github.com/py-pdf/pypdf/commit/b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8
X_Refsource_Misc x_refsource_misc
https://github.com/py-pdf/pypdf/releases/tag/6.10.0
Scores
CVSS v3
5.3
EPSS
0.0042
EPSS Percentile
33.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-776
Status
published
Products (3)
py-pdf/pypdf
< 6.10.0
pypdf_project/pypdf
< 6.10.0
pypi/pypdf
0 - 6.10.0PyPI
Published
Apr 17, 2026
Tracked Since
Apr 17, 2026