chore(deps): update python dependencies (non-major) to v6.7.4 [security]

[utic-renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
pypdf (changelog)	project.dependencies	minor	6.6.2 → 6.7.4

GitHub Vulnerability Alerts

CVE-2026-27024

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3645.

CVE-2026-27025

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3646.

CVE-2026-27026

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3644.

CVE-2026-27628

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file.

Patches

This has been fixed in pypdf==6.7.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #​3655.

CVE-2026-27888

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode.

Patches

This has been fixed in pypdf==6.7.3.

Workarounds

If projects cannot upgrade yet, consider applying the changes from PR #​3658.

CVE-2026-28351

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter.

Patches

This has been fixed in pypdf==6.7.4.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3664.

---

Release Notes

py-pdf/pypdf (pypdf)

v6.7.4

Compare Source

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#​3666)

Full Changelog

v6.7.3

Compare Source

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#​3664)

Robustness (ROB)

• Deal with invalid annotations in extract_links (#​3659)

Full Changelog

v6.7.2

Compare Source

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#​3658)

Full Changelog

v6.7.1

Compare Source

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#​3655)

Bug Fixes (BUG)

• Fix wrong LUT size error (#​3651)
• Fix handling of page boxes defined on /Pages (#​3650)

Full Changelog

v6.7.0

Compare Source

Security (SEC)

• Detect cyclic references when accessing TreeObject.children (#​3645)
• Limit size of /ToUnicode entries (#​3646)
• Limit FlateDecode recovery attempts (#​3644)

Bug Fixes (BUG)

• Avoid own object replacement logic in PageObject.replace_contents (#​3638)
• Fix UnboundLocalError when update_page_form_field_values with /Sig (#​3634)

Robustness (ROB)

• Avoid divison by zero when decoding FlateDecode PNG prediction (#​3641)

Full Changelog

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.