Main Vulnerability Database Vulnerabilities #VU132250

Allocation of Resources Without Limits or Throttling in PyPDF - CVE-2026-48735

Published: May 25, 2026

Vulnerability identifier: #VU132250

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-48735

CWE-ID: CWE-770

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Pypdf Project

Affected software:
PyPDF

Detailed vulnerability description

The vulnerability allows a remote attacker to cause excessive memory consumption.

The vulnerability exists due to allocation of resources without limits or throttling in the XMP metadata parser when parsing large XMP metadata streams in a PDF file. A remote attacker can supply a specially crafted PDF file to cause excessive memory consumption.

How to mitigate CVE-2026-48735

Install security update from vendor's website.

Sources

https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjqc-6w8f-h24c
https://github.com/py-pdf/pypdf/pull/3796

Allocation of Resources Without Limits or Throttling in PyPDF - CVE-2026-48735

Detailed vulnerability description

How to mitigate CVE-2026-48735

Sources

Please verify you're human