CVE-2026-48156

3.3 LOW

pypdf is a free and open-source pure-python PDF library

Published: 2026-05-28 · Last updated: 2026-05-29

Severity and scoring

CVSS: 3.3 LOW
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE: CWE-834

Affected products

Vendor	Product
pypdf_project	pypdf

Description

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48156
[Patch]https://github.com/py-pdf/pypdf/pull/3791
[Other]https://github.com/py-pdf/pypdf/releases/tag/6.12.0
[Patch]https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6

Related CVEs

Same vendor

CVE-2026-48735 — pypdf is a free and open-source pure-python PDF library (5.5 MEDIUM)
CVE-2026-48155 — pypdf is a free and open-source pure-python PDF library (5.5 MEDIUM)

Same CWE

CVE-2026-45680 — OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (5.9 MEDIUM)