Vulnerability Description
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pypdf Project | Pypdf | < 6.10.0 |
Related Weaknesses (CWE)
References
- https://github.com/py-pdf/pypdf/commit/b15a374e5ca648d4878e57c3b2c0551e7f8cc7f8Patch
- https://github.com/py-pdf/pypdf/pull/3724Issue TrackingPatch
- https://github.com/py-pdf/pypdf/releases/tag/6.10.0ProductRelease Notes
- https://github.com/py-pdf/pypdf/security/advisories/GHSA-3crg-w4f6-42mxMitigationPatchVendor Advisory
FAQ
What is CVE-2026-40260?
CVE-2026-40260 is a vulnerability with a CVSS score of 5.3 (MEDIUM). pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craf...
How severe is CVE-2026-40260?
CVE-2026-40260 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40260?
Check the references section above for vendor advisories and patch information. Affected products include: Pypdf Project Pypdf.