Source: pypdf
Version: 6.9.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for pypdf.

CVE-2026-49460[0]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.12.2, an attacker who uses this vulnerability can craft a PDF
| which leads to long runtimes. This requires accessing a stream which
| uses the /FlateDecode filter with a PNG predictor. This
| vulnerability is fixed in 6.12.2.


CVE-2026-49461[1]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.12.2, an attacker who uses this vulnerability can craft a PDF
| which leads to large memory usage. This requires extracting the text
| of a page which contains a form XObject with self-references. This
| vulnerability is fixed in 6.12.2.


CVE-2026-54530[2]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.13.0, an attacker who uses this vulnerability can craft a PDF
| which leads to an infinite loop. This requires extracting the text
| in layout mode. This vulnerability is fixed in 6.13.0.


CVE-2026-54531[3]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.13.0, an attacker who uses this vulnerability can craft a PDF
| which leads to an infinite loop. This requires merging a file with
| outlines into a writer. This vulnerability is fixed in 6.13.0.


CVE-2026-54651[4]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.13.1, an attacker who uses this vulnerability can craft a PDF
| which leads to an infinite loop. This requires merging a file with
| threads/articles into a writer. This vulnerability is fixed in
| 6.13.1.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49460
    https://www.cve.org/CVERecord?id=CVE-2026-49460
[1] https://security-tracker.debian.org/tracker/CVE-2026-49461
    https://www.cve.org/CVERecord?id=CVE-2026-49461
[2] https://security-tracker.debian.org/tracker/CVE-2026-54530
    https://www.cve.org/CVERecord?id=CVE-2026-54530
[3] https://security-tracker.debian.org/tracker/CVE-2026-54531
    https://www.cve.org/CVERecord?id=CVE-2026-54531
[4] https://security-tracker.debian.org/tracker/CVE-2026-54651
    https://www.cve.org/CVERecord?id=CVE-2026-54651

Regards,
Salvatore

Reply via email to