chore(deps): update dependency pypdf to v6.9.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pypdf (changelog)	6.6.1 → 6.9.1

GitHub Vulnerability Alerts

CVE-2026-24688

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks.

Patches

This has been fixed in pypdf 6.6.2.

Workarounds

If projects cannot upgrade yet, consider applying the changes from PR #​3610.

CVE-2026-27024

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3645.

CVE-2026-27025

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3646.

CVE-2026-27026

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used.

Patches

This has been fixed in pypdf==6.7.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3644.

CVE-2026-27628

Impact

An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file.

Patches

This has been fixed in pypdf==6.7.2.

Workarounds

If users cannot upgrade yet, consider applying the changes from PR #​3655.

CVE-2026-27888

Impact

An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode.

Patches

This has been fixed in pypdf==6.7.3.

Workarounds

If projects cannot upgrade yet, consider applying the changes from PR #​3658.

CVE-2026-28351

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter.

Patches

This has been fixed in pypdf==6.7.4.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3664.

CVE-2026-28804

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter.

Patches

This has been fixed in pypdf==6.7.5.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3666.

CVE-2026-31826

Impact

An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream.

Patches

This has been fixed in pypdf==6.8.0.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3675.

As far as we are aware, this mostly affects reading from buffers of unknown size, as returned by open("file.pdf", mode="rb") for example. Passing a file path or a BytesIO buffer to pypdf instead does not seem to trigger the vulnerability.

CVE-2026-33123

Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and/or large memory usage. This requires accessing an array-based stream with lots of entries.

Patches

This has been fixed in pypdf==6.9.1.

Workarounds

If you cannot upgrade yet, consider applying the changes from PR #​3686.

---

Release Notes

py-pdf/pypdf (pypdf)

v6.9.1

Compare Source

Security (SEC)

• Improve performance and limit length of array-based content streams (#​3686)

Full Changelog

v6.9.0

Compare Source

Security (SEC)

• Improve performance and limit length of array-based content streams (#​3686)

Full Changelog

v6.8.0

Compare Source

New Features (ENH)

• Expose /Perms verification result on Encryption object (#​3672)

Performance Improvements (PI)

• Fix O(n²) performance in NameObject read/write (#​3679)
• Batch-parse all objects in ObjStm on first access (#​3677)

Bug Fixes (BUG)

• Avoid sharing array-based content streams between pages (#​3681)
• Avoid accessing invalid page when inserting blank page under some conditions (#​3529)

Full Changelog

v6.7.5

Compare Source

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#​3666)

Full Changelog

v6.7.4

Compare Source

Security (SEC)

• Improve the performance of the ASCIIHexDecode filter (#​3666)

Full Changelog

v6.7.3

Compare Source

Security (SEC)

• Allow limiting output length for RunLengthDecode filter (#​3664)

Robustness (ROB)

• Deal with invalid annotations in extract_links (#​3659)

Full Changelog

v6.7.2

Compare Source

Security (SEC)

• Use zlib decompression limit when retrieving XFA data (#​3658)

Full Changelog

v6.7.1

Compare Source

Security (SEC)

• Prevent infinite loop from circular xref /Prev references (#​3655)

Bug Fixes (BUG)

• Fix wrong LUT size error (#​3651)
• Fix handling of page boxes defined on /Pages (#​3650)

Full Changelog

v6.7.0

Compare Source

Deprecations (DEP)

• Deprecate support for abbreviations in decode_stream_data (#​3617)

New Features (ENH)

• Add ability to add font resources for 14 Adobe Core fonts in text widget annotations (#​3624)

Bug Fixes (BUG)

• Avoid invalid load for ICCBased FlateDecode images in mode 1 (#​3619)

Robustness (ROB)

• Fix AESV2 decryption when /Length missing in encrypt dict (#​3629)
• Fix merging when annotations point to NullObject (#​3613)
• Check for self._info being None in compress_identical_objects (#​3612)

Full Changelog

v6.6.2

Compare Source

Security (SEC)

• Detect cyclic references when retrieving outlines (#​3610)

Full Changelog

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

poetry.lock

Package	Version	License	Issue Type
pypdf	6.9.1	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/pypdf	6.9.1	Unknown	Unknown

Scanned Files

• poetry.lock

[github-actions]

Test Results (Python 3.14)

183 tests  ±0   183 ✅ ±0   18s ⏱️ ±0s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit fcdd0b4. ± Comparison against base commit b1fd94d.

♻️ This comment has been updated with latest results.

[github-actions]

Coverage report

This PR does not seem to contain any modification to coverable code.

[github-actions]

Combined Test Results

  5 files  ±0    5 suites  ±0   1m 12s ⏱️ ±0s
183 tests ±0  183 ✅ ±0  0 💤 ±0  0 ❌ ±0 
915 runs  ±0  915 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit fcdd0b4. ± Comparison against base commit b1fd94d.

♻️ This comment has been updated with latest results.