CVE-2026-40260
ADVISORY - githubSummary
Impact
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.
Patches
This has been fixed in pypdf==6.10.0.
Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3724.
EPSS Score: 0.00423 (0.341)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
ADVISORY - github
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-40260
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
6.9mediumGitHub
CREATED
UPDATED
ADVISORY IDGHSA-3crg-w4f6-42mx
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
6.9mediumDebian
CREATED
UPDATED
ADVISORY IDCVE-2026-40260
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-40260
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
5.3mediumChainguard
CREATED
UPDATED
ADVISORY ID
CGA-fwwp-xpm4-28p9
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-rfx2-7jr3-pxc3
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-vx82-mp34-7qmq
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-