CVE-2026-40260 MEDIUM

CVE-2026-40260: pypdf: Manipulated XMP metadata entity declarations can exhaust RAM

Vendor Py-Pdf
Product pypdf
Weakness CWE-776
Published April 16, 2026
Last update April 17, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.

Key dates

02Disclosure timeline

April 16, 2026 CVE published
April 17, 2026 Record updated