pypdf - Debian Package Tracker

general

source: pypdf (main)
version: 6.9.2-1
maintainer: Debian Python Team (DMD)
uploaders: Daniel Kahn Gillmor [DMD] – Scott Kitterman [DMD]
arch: all
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 3.4.1-1+deb12u1
stable: 5.4.0-1
testing: 6.9.2-1
unstable: 6.9.2-1

versioned links

3.4.1-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.4.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.9.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-pypdf

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:02:14
Last run: 2026-03-25T01:15:58.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:02:00
Last run: 2026-03-20T07:17:46.000Z
Previous status: unknown

stable: pass (log)
The tests ran in 0:01:26
Last run: 2025-11-08T13:33:42.000Z
Previous status: unknown

Created: 2026-03-05 Last update: 2026-05-12 21:31

A new upstream version is available: 6.11.0 high

A new upstream version 6.11.0 is available, you should consider packaging it.

Created: 2026-04-12 Last update: 2026-05-12 21:30

5 security issues in sid high

There are 5 open security issues in sid.

5 important issues:

CVE-2026-40260: pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
CVE-2026-41168: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values. This has been fixed in pypdf 6.10.1. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41312: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41313: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41314: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.

Created: 2026-04-17 Last update: 2026-04-28 19:02

5 security issues in forky high

There are 5 open security issues in forky.

5 important issues:

CVE-2026-40260: pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
CVE-2026-41168: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values. This has been fixed in pypdf 6.10.1. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41312: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41313: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41314: pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.

Created: 2026-04-17 Last update: 2026-04-28 19:02

21 low-priority security issues in trixie low

There are 21 open security issues in trixie.

21 issues left for the package maintainer to handle:

CVE-2025-55197: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2025-62707: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2025-62708: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. This has been fixed in pypdf version 6.1.3.
CVE-2026-22690: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-22691: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-24688: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
CVE-2026-27024: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1.
CVE-2026-27025: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. This vulnerability is fixed in 6.7.1.
CVE-2026-27026: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.
CVE-2026-27628: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.
CVE-2026-27888: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.
CVE-2026-28351: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.
CVE-2026-28804: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version 6.7.5.
CVE-2026-31826: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0.
CVE-2026-33123: (needs triaging) pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1.
CVE-2026-33699: (needs triaging) pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
CVE-2026-40260: (needs triaging) pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
CVE-2026-41168: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values. This has been fixed in pypdf 6.10.1. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41312: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41313: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41314: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-15 Last update: 2026-04-28 19:02

19 low-priority security issues in bookworm low

There are 19 open security issues in bookworm.

19 issues left for the package maintainer to handle:

CVE-2025-55197: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file.
CVE-2026-22690: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-22691: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
CVE-2026-24688: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
CVE-2026-27024: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1.
CVE-2026-27025: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. This vulnerability is fixed in 6.7.1.
CVE-2026-27026: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.
CVE-2026-27628: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.
CVE-2026-27888: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the `xfa` property of a reader or writer and the corresponding stream being compressed using `/FlateDecode`. This has been fixed in pypdf 6.7.3. As a workaround, apply the patch manually.
CVE-2026-28351: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.
CVE-2026-28804: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version 6.7.5.
CVE-2026-31826: (needs triaging) pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0.
CVE-2026-33123: (needs triaging) pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1.
CVE-2026-33699: (needs triaging) pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
CVE-2026-40260: (needs triaging) pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. This issue has been fixed in version 6.10.0.
CVE-2026-41168: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values. This has been fixed in pypdf 6.10.1. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41312: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41313: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
CVE-2026-41314: (needs triaging) pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-08-15 Last update: 2026-04-28 19:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.0).

Created: 2025-02-21 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-04-01] pypdf 6.9.2-1 MIGRATED to testing (Debian testing watch)
[2026-03-23] Accepted pypdf 6.9.2-1 (source) into unstable (Santiago Ruano Rincón)
[2026-03-21] pypdf 6.9.0-1 MIGRATED to testing (Debian testing watch)
[2026-03-18] Accepted pypdf 6.9.0-1 (source) into unstable (Santiago Ruano Rincón)
[2025-04-10] pypdf 5.4.0-1 MIGRATED to testing (Debian testing watch)
[2025-04-02] Accepted pypdf 5.4.0-1 (source) into unstable (Santiago Ruano Rincón)
[2024-07-24] pypdf 4.3.1-1 MIGRATED to testing (Debian testing watch)
[2024-07-22] Accepted pypdf 4.3.1-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-04-11] pypdf 4.2.0-1 MIGRATED to testing (Debian testing watch)
[2024-04-09] Accepted pypdf 4.2.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-03-18] pypdf 4.1.0-1 MIGRATED to testing (Debian testing watch)
[2024-03-08] Accepted pypdf 4.1.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-02-26] Accepted pypdf 3.4.1-1~bpo11+1 (source all) into bullseye-backports (Debian FTP Masters) (signed by: bage@debian.org)
[2024-02-23] pypdf 4.0.2-1 MIGRATED to testing (Debian testing watch)
[2024-02-21] Accepted pypdf 4.0.2-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-02-06] pypdf 4.0.1-1 MIGRATED to testing (Debian testing watch)
[2024-02-01] Accepted pypdf 4.0.1-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-27] pypdf 4.0.0-1 MIGRATED to testing (Debian testing watch)
[2024-01-23] Accepted pypdf 4.0.0-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-20] Accepted pypdf 3.4.1-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Donald Scott Kitterman)
[2024-01-19] Accepted pypdf 4.0.0-1~exp1 (source) into experimental (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2024-01-17] pypdf 3.17.4-1 MIGRATED to testing (Debian testing watch)
[2024-01-14] Accepted pypdf 3.17.4-1 (source) into unstable (Scott Kitterman) (signed by: Donald Scott Kitterman)
[2023-02-25] pypdf 3.4.1-1 MIGRATED to testing (Debian testing watch)
[2023-02-14] Accepted pypdf 3.4.1-1 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-29] pypdf 3.3.0-3 MIGRATED to testing (Debian testing watch)
[2023-01-26] Accepted pypdf 3.3.0-3 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-26] Accepted pypdf 3.3.0-2 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-23] Accepted pypdf 3.3.0-1 (source) into unstable (Daniel Kahn Gillmor) (signed by: dkg@debian.org)
[2023-01-20] Accepted pypdf 3.2.1-1 (source all) into unstable (Debian FTP Masters) (signed by: dkg@debian.org)

bugs [bug history graph]

all: 5
RC: 0
I&N: 5
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.9.2-1