CVE-2026-59935

high

Description

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.2, an attacker can craft a PDF with a page content stream containing a not terminated inline image that uses the ASCII85 or ASCIIHex filters, causing an infinite loop during parsing such as when extracting page text. This issue is fixed in version 6.14.2.

References

https://github.com/py-pdf/pypdf/security/advisories/GHSA-g867-7843-wf8q

https://github.com/py-pdf/pypdf/releases/tag/6.14.2

https://github.com/py-pdf/pypdf/pull/3892

https://github.com/py-pdf/pypdf/commit/5a33a46416aa1ae6c025ff90a3cca57631fdafd2

Details

Source: Mitre, NVD

Published: 2026-07-08

Updated: 2026-07-08

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Severity: Medium

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Severity: High