CVE-2026-40260

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions pypdf versions prior to 6.10.0

Description Manipulated XMP metadata entity declarations can exhaust RAM. An attacker can craft a PDF that leads to large memory usage when the XMP metadata is parsed.

Recommendations Update to version 6.10.0. As a temporary workaround, apply the changes from PR #3724.

Fix

XML Entity Expansion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-776

Related Identifiers

CVE-2026-40260

GHSA-3CRG-W4F6-42MX

OPENSUSE-SU-2026:10582-1

OPENSUSE-SU-2026:10583-1

OPENSUSE-SU-2026:20598-1

Affected Products

Pypdf

CVE-2026-40260

Weakness Enumeration

Related Identifiers

Affected Products

References · 20