CVE-2026-33699

pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.

CVSS

No CVSS.

References

Link	Resource
https://github.com/py-pdf/pypdf/pull/3693
https://github.com/py-pdf/pypdf/releases/tag/6.9.2
https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-27 01:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33699

Mitre link : CVE-2026-33699

CVE.ORG link : CVE-2026-33699

JSON object : View

Products Affected

No product.

CWE

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

{"id": "CVE-2026-33699", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-27T01:16:19.147", "references": [{"url": "https://github.com/py-pdf/pypdf/pull/3693", "source": "security-advisories@github.com"}, {"url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2", "source": "security-advisories@github.com"}, {"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-835"}]}], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually."}, {"lang": "es", "value": "pypdf es una biblioteca PDF escrita puramente en Python, gratuita y de c\u00f3digo abierto. Las versiones anteriores a la 6.9.2 tienen una vulnerabilidad en la que un atacante puede crear un PDF que conduce a un bucle infinito. Esto requiere leer un archivo en modo no estricto. Esto ha sido corregido en pypdf 6.9.2. Si los usuarios a\u00fan no pueden actualizar, consideren aplicar los cambios del parche manualmente."}], "lastModified": "2026-03-30T13:26:29.793", "sourceIdentifier": "security-advisories@github.com"}

CVE-2026-33699

JSON object

Attach tags to CVE-2026-33699

Attach tags to `CVE-2026-33699`