6.9
CVE-2026-48735
- EPSS 0.13%
- Veröffentlicht 28.05.2026 14:49:11
- Zuletzt bearbeitet 29.05.2026 19:38:59
- CVE-Watchlists
- Unerledigt
pypdf: Manipulated XMP metadata streams can exhaust RAM
pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pypdf Project ≫ Pypdf Version < 6.12.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.029 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 6.9 | 0 | 0 |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjqc-6w8f-h24c
https://github.com/py-pdf/pypdf/pull/3796
https://github.com/py-pdf/pypdf/releases/tag/6.12.1