CVE-2026-33699 MEDIUM

CVE-2026-33699: pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream

Vendor Py-Pdf
Product pypdf
Weakness CWE-835
Published March 26, 2026
Last update March 27, 2026

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated