Apache Tika - XML External Entity Injection

Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1, and tika-parsers 1.13-1.28.5 contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input. id: CVE-2025-66516 info: nam...

Chromium: CVE-2026-11670 Use after free in PDF

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

PT-2026-49730

Name of the Vulnerable Software and Affected Versions pypdf versions prior to 6.12.2 Description A flaw in the pure-python PDF library allows an attacker to craft a PDF that causes excessive memory consumption. This occurs when extracting text from a page containing a form XObject a reusable PDF...

GHSA-248M-82V9-Q6G6 pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams

Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W 0 0 0 values and large /Size values. Patches This has been fixed in pypdf==6.12.0. Workarounds If developers are unable to upgrade their apps immediately, the...

CVE-2026-45802

FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script...

DEBIAN-CVE-2026-11670

Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

CVE-2026-11670

CVE-2026-11670: Use-after-free in PDF handling in Google Chrome prior to 149.0.7827.103 enables remote code execution in the sandbox when parsing a crafted PDF. Affected component is Chrome's PDF rendering; impact is high. Remediation per the connected documents is to update to Chrome 149.0.7827....

CVE-2026-11670

Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

CVE-2026-11670

Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

SUSE CVE-2026-10945

Use after free in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

Chromium: CVE-2026-10945 Use after free in PDF

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Linux Distros Unpatched Vulnerability : CVE-2026-11303

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file...

CVE-2026-11261

Google Chrome is affected by CVE-2026-11261 due to an inappropriate implementation in the PDF handling within Chromium before version 149.0.7827.53. A remote attacker who has already compromised the renderer process could trigger UI spoofing by serving a crafted HTML page. The reported impact is ...

PT-2026-46788

Inappropriate implementation in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. Chromium security severity: Low...

PT-2026-46474

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description A use after free issue exists in the PDF component. This allows a remote attacker to execute arbitrary code within a sandbox if a user is convinced to perform specific UI gestures while...

CVE-2026-10118 Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buffer overflow via unchecked dimension multiplication

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the tilingPatternFill function. This overflow leads to an undersized heap memory allocation, allowing a subsequent...

SUSE CVE-2026-48735

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1...

CVE-2026-9957

An use after free flaw was found in the PDF component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=504516117...

CVE-2026-9957

Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

Excessive Iteration

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration via the processing of cross-reference streams containing /W values set to 0 0 0 and large /Size values. An...