CVE-2026-33699

Description

pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:* - VULNERABLE

pypdf < 6.9.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import pypdf

# Proof of Concept for CVE-2026-33699
# This script demonstrates how the vulnerability is triggered
# by reading a malicious PDF in non-strict mode.

def trigger_vulnerability(malicious_pdf_path):
    try:
        # Using strict=False is the key condition for exploitation
        reader = pypdf.PdfReader(malicious_pdf_path, strict=False)
        # Attempting to access pages triggers the parsing
        page = reader.pages[0]
        print(page.extract_text())
    except Exception as e:
        print(f"Exception occurred: {e}")

# Note: 'malicious.pdf' needs to be a file specifically crafted
# to cause the infinite loop in versions < 6.9.2.
if __name__ == "__main__":
    trigger_vulnerability("malicious.pdf")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33699
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33699
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33699/
[4] VulDB https://vuldb.com/cve/CVE-2026-33699
[5] https://github.com/py-pdf/pypdf/pull/3693
[6] https://github.com/py-pdf/pypdf/releases/tag/6.9.2
[7] https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33699", "sourceIdentifier": "[email protected]", "published": "2026-03-27T01:16:19.147", "lastModified": "2026-04-01T16:01:35.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually."}, {"lang": "es", "value": "pypdf es una biblioteca PDF escrita puramente en Python, gratuita y de código abierto. Las versiones anteriores a la 6.9.2 tienen una vulnerabilidad en la que un atacante puede crear un PDF que conduce a un bucle infinito. Esto requiere leer un archivo en modo no estricto. Esto ha sido corregido en pypdf 6.9.2. Si los usuarios aún no pueden actualizar, consideren aplicar los cambios del parche manualmente."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pypdf_project:pypdf:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.9.2", "matchCriteriaId": "122BA466-C678-4E2D-9378-30AD9C0474E0"}]}]}], "references": [{"url": "https://github.com/py-pdf/pypdf/pull/3693", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/py-pdf/pypdf/releases/tag/6.9.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-87mj-5ggw-8qc3", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}