#1140629 pypdf: CVE-2026-49460 CVE-2026-49461 CVE-2026-54530 CVE-2026-54531 CVE-2026-54651

Package:
src:pypdf
Source:
src:pypdf
Submitter:
Salvatore Bonaccorso
Date:
2026-06-23 19:19:02 UTC
Severity:
normal
Tags:
#1140629#5
Date:
2026-06-23 19:16:45 UTC
From:
To:
Hi,

The following vulnerabilities were published for pypdf.

CVE-2026-49460[0]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.12.2, an attacker who uses this vulnerability can craft a PDF
| which leads to long runtimes. This requires accessing a stream which
| uses the /FlateDecode filter with a PNG predictor. This
| vulnerability is fixed in 6.12.2.


CVE-2026-49461[1]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.12.2, an attacker who uses this vulnerability can craft a PDF
| which leads to large memory usage. This requires extracting the text
| of a page which contains a form XObject with self-references. This
| vulnerability is fixed in 6.12.2.


CVE-2026-54530[2]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.13.0, an attacker who uses this vulnerability can craft a PDF
| which leads to an infinite loop. This requires extracting the text
| in layout mode. This vulnerability is fixed in 6.13.0.


CVE-2026-54531[3]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.13.0, an attacker who uses this vulnerability can craft a PDF
| which leads to an infinite loop. This requires merging a file with
| outlines into a writer. This vulnerability is fixed in 6.13.0.


CVE-2026-54651[4]:
| pypdf is a free and open-source pure-python PDF library. Prior to
| 6.13.1, an attacker who uses this vulnerability can craft a PDF
| which leads to an infinite loop. This requires merging a file with
| threads/articles into a writer. This vulnerability is fixed in
| 6.13.1.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-49460
https://www.cve.org/CVERecord?id=CVE-2026-49460
[1] https://security-tracker.debian.org/tracker/CVE-2026-49461
https://www.cve.org/CVERecord?id=CVE-2026-49461
[2] https://security-tracker.debian.org/tracker/CVE-2026-54530
https://www.cve.org/CVERecord?id=CVE-2026-54530
[3] https://security-tracker.debian.org/tracker/CVE-2026-54531
https://www.cve.org/CVERecord?id=CVE-2026-54531
[4] https://security-tracker.debian.org/tracker/CVE-2026-54651
https://www.cve.org/CVERecord?id=CVE-2026-54651

Regards,
Salvatore