CVE-2026-45802: FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service

May 19, 2026 (updated June 12, 2026)

This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability.

References

github.com/Setasign/FPDI/commit/1695cfcc7e01fe844a7296b3de90855a3fa65be6
github.com/Setasign/FPDI/releases/tag/v2.6.7
github.com/Setasign/FPDI/security/advisories/GHSA-2mgw-7q6p-8grg
github.com/advisories/GHSA-2mgw-7q6p-8grg
nvd.nist.gov/vuln/detail/CVE-2026-45802

Code Behaviors & Features

Detect and mitigate CVE-2026-45802 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →