Skip to content

fix(deps): update dependency pypdf to v6.10.1 [security]#863

Merged
Smartappli merged 2 commits into
masterfrom
renovate/pypi-pypdf-vulnerability
Apr 16, 2026
Merged

fix(deps): update dependency pypdf to v6.10.1 [security]#863
Smartappli merged 2 commits into
masterfrom
renovate/pypi-pypdf-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 15, 2026

This PR contains the following updates:

Package Change Age Confidence
pypdf (changelog) ==6.10.0==6.10.1 age confidence

GitHub Vulnerability Alerts

CVE-2026-40260

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.

Patches

This has been fixed in pypdf==6.10.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3724.

Severity
  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

GHSA-jj6c-8h6c-hppx

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values.

Patches

This has been fixed in pypdf==6.10.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3733.

Severity
  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Release Notes

py-pdf/pypdf (pypdf)

v6.10.1

Compare Source

Security (SEC)
  • Limit the allowed size of xref and object streams (#​3733)
Robustness (ROB)
  • Consider strict mode setting for decryption errors (#​3731)
Documentation (DOC)
  • Use new parameter names for compress_identical_objects

Full Changelog

v6.10.0

Compare Source

Security (SEC)
  • Limit the allowed size of xref and object streams (#​3733)
Robustness (ROB)
  • Consider strict mode setting for decryption errors (#​3731)
Documentation (DOC)
  • Use new parameter names for compress_identical_objects

Full Changelog

Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate labels Apr 15, 2026
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 15, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

TIP This summary will be updated as you push new changes. Give us feedback

@Smartappli Smartappli merged commit a81960a into master Apr 16, 2026
15 of 19 checks passed
@Smartappli Smartappli deleted the renovate/pypi-pypdf-vulnerability branch April 16, 2026 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Smartappli