CVE-2026-48735 py-pdf CVE debrief

Who should care

Organizations using pypdf for PDF processing in server-side applications, document management systems, or automated workflows where untrusted PDFs are ingested. Particularly relevant for services processing user-uploaded documents.

Technical summary

The vulnerability stems from insufficient resource limits when parsing XMP (Extensible Metadata Platform) metadata in PDF files. XMP metadata can contain arbitrarily large XML structures with nested elements. Without proper size constraints or streaming parsing, processing maliciously constructed metadata leads to unbounded memory allocation. The fix in 6.12.1 likely implements parsing limits or streaming processing to bound memory consumption.

Defensive priority

medium

Recommended defensive actions

• Upgrade pypdf to version 6.12.1 or later
• Implement input validation to limit PDF file sizes and metadata complexity before processing
• Monitor memory usage when processing untrusted PDF documents
• Consider sandboxing PDF processing operations with resource limits
• Review applications using pypdf for XMP metadata extraction capabilities

Evidence notes

CVE published 2026-05-28. CVSS 4.0 vector indicates local attack vector with high availability impact. Fix confirmed via GitHub security advisory GHSA-wjqc-6w8f-h24c and release 6.12.1.

Official resources