CVE-2026-28351 (Medium) detected in pypdf-6.6.2-py3-none-any.whl

[mend-bolt-for-github]

CVE-2026-28351 - Medium Severity Vulnerability

Vulnerable Library - pypdf-6.6.2-py3-none-any.whl

A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files

Library home page: https://files.pythonhosted.org/packages/7d/be/549aaf1dfa4ab4aed29b09703d2fb02c4366fc1f05e880948c296c5764b9/pypdf-6.6.2-py3-none-any.whl

Path to dependency file: /extract-pdf-text/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260303130458_IWWTNK/python_BFCESL/202603031305041/env/lib/python3.9/site-packages/pypdf-6.6.2.dist-info

Dependency Hierarchy:

• ❌ pypdf-6.6.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 173a4b19d88f4906c34e6f2cd6aabc948152143b

Found in base branch: main

Vulnerability Details

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.

Publish Date: 2026-02-27

URL: CVE-2026-28351

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-27

Fix Resolution: pypdf - 6.7.4,https://github.com/py-pdf/pypdf.git - 6.7.4

---

Step up your Open Source Security Game with Mend here