Apache Tika - XML External Entity Injection

Apache Tika tika-core 1.13-3.2.1, tika-pdf-module 2.0.0-3.2.1, and tika-parsers 1.13-1.28.5 contain an XML External Entity injection caused by processing crafted XFA files inside PDFs, letting attackers perform XXE attacks remotely, exploit requires crafted PDF input. id: CVE-2025-66516 info: nam...

SUSE CVE-2026-10945

Use after free in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

Chromium: CVE-2026-10945 Use after free in PDF

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Linux Distros Unpatched Vulnerability : CVE-2026-11303

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file...

CVE-2026-11261

Google Chrome is affected by CVE-2026-11261 due to an inappropriate implementation in the PDF handling within Chromium before version 149.0.7827.53. A remote attacker who has already compromised the renderer process could trigger UI spoofing by serving a crafted HTML page. The reported impact is ...

PT-2026-46788

Inappropriate implementation in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. Chromium security severity: Low...

PT-2026-46474

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 149.0.7827.53 Description A use after free issue exists in the PDF component. This allows a remote attacker to execute arbitrary code within a sandbox if a user is convinced to perform specific UI gestures while...

CVE-2026-10118 Poppler: integer overflow in poppler splashoutputdev::tilingpatternfill leads to heap buffer overflow via unchecked dimension multiplication

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the tilingPatternFill function. This overflow leads to an undersized heap memory allocation, allowing a subsequent...

SUSE CVE-2026-48735

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1...

CVE-2026-9957

An use after free flaw was found in the PDF component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=504516117...

CVE-2026-9957

Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

Excessive Iteration

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration via the processing of cross-reference streams containing /W values set to 0 0 0 and large /Size values. An...

DEBIAN-CVE-2026-48156

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W 0 0 0 values and large /Size values. This vulnerability is fixed in 6.12.0...

CVE-2026-48155

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0...

CVE-2026-48156

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W 0 0 0 values and large /Size values. This vulnerability is fixed in 6.12.0...

PT-2026-44665

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.216 Description A use after free issue exists in the PDF component, which allows a remote attacker to execute arbitrary code within a sandbox by utilizing a specially crafted PDF file. Use after free ...

Debian dsa-6286 : evince - security update

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6286 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6286-1 [email protected] https://www.debian.org/security/...

Astra Linux - уязвимость в chromium

Using “after free” in PDFs in Google Chrome before version 111.0.5563.110 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page. Chromium security severity: High...

Astra Linux - уязвимость в chromium

A heap buffer overflow vulnerability in PDF files in Google Chrome prior to version 118.0.5993.70 allowed a remote attacker who convinced a user to perform certain user interactions to potentially exploit heap corruption through a crafted PDF file. Chromium security severity: Medium...

Astra Linux - уязвимость в poppler, poppler-22

A logical error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service DoS attack through a crafted PDF file...