CVE-2026-24688

pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.

Database specific

{
    "cwe_ids": [
        "CWE-835"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24688.json"
}

References

Affected packages

Git / github.com/py-pdf/pypdf

Affected ranges

Type: GIT
Repo: https://github.com/py-pdf/pypdf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ad47d50fd7475650d71913c8c0927e9a79249c75

Affected versions

1.*

1.26.0

1.27.0

1.27.1

1.27.10

1.27.11

1.27.12

1.27.2

1.27.3

1.27.4

1.27.5

1.27.6

1.27.7

1.27.8

1.27.9

1.28.0

1.28.1

1.28.2

2.*

2.0.0

2.1.0

2.1.1

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

2.10.8

2.10.9

2.11.0

2.11.1

2.11.2

2.12.0

2.12.1

2.2.0

2.2.1

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.5.0

2.6.0

2.7.0

2.8.0

2.8.1

2.9.0

3.*

3.0.0

3.1.0

3.10.0

3.11.0

3.11.1

3.12.0

3.12.1

3.12.2

3.13.0

3.14.0

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.15.5

3.16.0

3.16.1

3.16.2

3.16.3

3.16.4

3.17.0

3.17.1

3.17.2

3.17.3

3.17.4

3.2.0

3.2.1

3.3.0

3.4.0

3.4.1

3.5.0

3.5.1

3.5.2

3.6.0

3.7.0

3.7.1

3.8.0

3.8.1

3.9.0

3.9.1

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.2.0

4.3.0

4.3.1

5.*

5.0.0

5.0.1

5.1.0

5.2.0

5.3.0

5.3.1

5.4.0

5.5.0

5.6.0

5.6.1

5.7.0

5.8.0

5.9.0

6.*

6.0.0

6.1.0

6.1.1

6.1.2

6.1.3

6.2.0

6.3.0

6.4.0

6.4.1

6.4.2

6.5.0

6.6.0

6.6.1

v1.*

v1.17

v1.18

v1.19

v1.20

v1.21

v1.22

v1.23

v1.24

v1.25

v1.25.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24688.json"