UNKNOWN PyPI
pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams
GHSA-2rw7-x74f-jg35 · CVE-2026-27628
Published · Modified
Description
Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file.
Patches
This has been fixed in pypdf==6.7.2.
Workarounds
If users cannot upgrade yet, consider applying the changes from PR #3655.
References
- WEB https://github.com/py-pdf/pypdf/security/advisories/GHSA-2rw7-x74f-jg35
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-27628
- WEB https://github.com/py-pdf/pypdf/issues/3654
- WEB https://github.com/py-pdf/pypdf/commit/f0a462d36971cf077d74492a348d0d06fd60ea4d
- PACKAGE https://github.com/py-pdf/pypdf
Ready to move
Start Securing
Free, no credit card | First findings in minutes