Description
FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability. This issue has been patched in version 2.6.7.
Published: 2026-06-11
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FPDI is a collection of PHP classes that help developers read pages from existing PDF documents and use them as templates in FPDF. For versions earlier than 2.6.7, an attacker can upload a small, malicious PDF that will cause the server-side script to crash because of memory exhaustion or a script time-out. The crash leads to a cessation of service until the script is restarted, effectively denying service to legitimate users. Repeated attacks can lead to sustained service unavailability. This vulnerability is a classic example of resource exhaustion, identified by CWE-400 and CWE-770.

Affected Systems

The vulnerability affects Setasign’s FPDI library, specifically any installation using a version earlier than 2.6.7. Users who integrate FPDI into PHP web applications through file‑upload mechanisms and have not updated to the latest release are at risk.

Risk and Exploitability

The CVSS score of 6 indicates a moderate severity. No EPSS data is currently available, so the likelihood of exploitation cannot be precisely quantified. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via an HTTP request that uploads a malicious PDF to a PHP script utilizing FPDI. Repeat attacks can keep the service unavailable, so the risk to availability is significant even without confirmed exploits.

Generated by OpenCVE AI on June 11, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FPDI to version 2.6.7 or newer
  • If an upgrade is not immediately possible, limit the size and number of PDF uploads and run FPDI in a sandboxed or resource‑restricted environment
  • Apply application‑level input validation to detect malformed PDFs and reject them before processing

Generated by OpenCVE AI on June 11, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2mgw-7q6p-8grg FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service
History

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability. This issue has been patched in version 2.6.7.
Title FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service
Weaknesses CWE-400
CWE-770
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:59:36.226Z

Reserved: 2026-05-13T08:19:32.603Z

Link: CVE-2026-45802

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-11T20:16:23.090

Modified: 2026-06-11T20:51:35.917

Link: CVE-2026-45802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:15:09Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling