Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
pypdf: Infinite Loop When Loading Malicious PDFs
GHSA-2rw7-x74f-jg35
CVE-2026-27628
CVE-2026-27628
Summary
An attacker can create a malicious PDF that causes pypdf to enter an infinite loop when opening the file. This can happen if you use a vulnerable version of pypdf. Update to version 6.7.2 or apply a manual patch to fix the issue.
What to do
- Update pypdf to version 6.7.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pypdf | <= 6.7.2 | 6.7.2 |
| pypdf_project | pypdf | <= 6.7.2 | – |
Original title
pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams
Original description
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.
ghsa CVSS4.0
1.2
Vulnerability type
CWE-835
- https://github.com/py-pdf/pypdf/security/advisories/GHSA-2rw7-x74f-jg35
- https://nvd.nist.gov/vuln/detail/CVE-2026-27628
- https://github.com/py-pdf/pypdf/issues/3654
- https://github.com/py-pdf/pypdf/commit/f0a462d36971cf077d74492a348d0d06fd60ea4d
- https://github.com/advisories/GHSA-2rw7-x74f-jg35
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27628... Vendor Advisory
Published: 25 Feb 2026 · Updated: 8 Mar 2026 · First seen: 6 Mar 2026