PYSEC-2026-1837

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pypdf2/PYSEC-2026-1837.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1837
Aliases
Published
2026-07-07T11:45:19.715500Z
Modified
2026-07-07T17:46:59.524042100Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
PyPDF2 quadratic runtime with malformed PDF missing xref marker
Details

Impact

An attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime. This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.

Patches

https://github.com/py-pdf/pypdf/pull/808

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

References

Affected packages

PyPI / pypdf2

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.9

Affected versions

1.*
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.25.1
1.26.0
1.27.0
1.27.1
1.27.2
1.27.3
1.27.4
1.27.5
1.27.6
1.27.7
1.27.8

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pypdf2/PYSEC-2026-1837.yaml"