Total
88 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-4473 | 2 Canonical, Freedesktop | 2 Ubuntu Linux, Poppler | 2026-04-29 | 7.5 HIGH | N/A |
| Stack-based buffer overflow in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a source filename. | |||||
| CVE-2010-3702 | 9 Apple, Canonical, Debian and 6 more | 11 Cups, Ubuntu Linux, Debian Linux and 8 more | 2026-04-29 | 7.5 HIGH | N/A |
| The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference. | |||||
| CVE-2013-7296 | 1 Freedesktop | 1 Poppler | 2026-04-29 | 5.0 MEDIUM | N/A |
| The JBIG2Stream::readSegments method in JBIG2Stream.cc in Poppler before 0.24.5 does not use the correct specifier within a format string, which allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted PDF file. | |||||
| CVE-2013-1788 | 1 Freedesktop | 1 Poppler | 2026-04-29 | 6.8 MEDIUM | N/A |
| poppler before 0.22.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors that trigger an "invalid memory access" in (1) splash/Splash.cc, (2) poppler/Function.cc, and (3) poppler/Stream.cc. | |||||
| CVE-2013-1789 | 1 Freedesktop | 1 Poppler | 2026-04-29 | 4.3 MEDIUM | N/A |
| splash/Splash.cc in poppler before 0.22.1 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to the (1) Splash::arbitraryTransformMask, (2) Splash::blitMask, and (3) Splash::scaleMaskYuXu functions. | |||||
| CVE-2013-4474 | 2 Canonical, Freedesktop | 2 Ubuntu Linux, Poppler | 2026-04-29 | 5.0 MEDIUM | N/A |
| Format string vulnerability in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.3 allows remote attackers to cause a denial of service (crash) via format string specifiers in a destination filename. | |||||
| CVE-2013-1790 | 1 Freedesktop | 1 Poppler | 2026-04-29 | 6.8 MEDIUM | N/A |
| poppler/Stream.cc in poppler before 0.22.1 allows context-dependent attackers to have an unspecified impact via vectors that trigger a read of uninitialized memory by the CCITTFaxStream::lookChar function. | |||||
| CVE-2007-3387 | 6 Apple, Canonical, Debian and 3 more | 6 Cups, Ubuntu Linux, Debian Linux and 3 more | 2026-04-23 | 6.8 MEDIUM | N/A |
| Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function. | |||||
| CVE-2025-52886 | 1 Freedesktop | 1 Poppler | 2025-11-04 | N/A | 5.9 MEDIUM |
| Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue. | |||||
| CVE-2023-34872 | 1 Freedesktop | 1 Poppler | 2025-11-04 | N/A | 5.5 MEDIUM |
| A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in OutlineItem::open. | |||||
| CVE-2025-32365 | 1 Freedesktop | 1 Poppler | 2025-11-03 | N/A | 4.0 MEDIUM |
| Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check. | |||||
| CVE-2025-32364 | 1 Freedesktop | 1 Poppler | 2025-11-03 | N/A | 4.0 MEDIUM |
| A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN. | |||||
| CVE-2024-56378 | 1 Freedesktop | 1 Poppler | 2025-11-03 | N/A | 4.3 MEDIUM |
| libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc. | |||||
| CVE-2022-38349 | 1 Freedesktop | 1 Poppler | 2025-11-03 | N/A | 6.5 MEDIUM |
| An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file. | |||||
| CVE-2022-37052 | 1 Freedesktop | 1 Poppler | 2025-11-03 | N/A | 6.5 MEDIUM |
| A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject. | |||||
| CVE-2022-37051 | 2 Debian, Freedesktop | 2 Debian Linux, Poppler | 2025-11-03 | N/A | 6.5 MEDIUM |
| An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file. | |||||
| CVE-2022-37050 | 2 Debian, Freedesktop | 2 Debian Linux, Poppler | 2025-11-03 | N/A | 6.5 MEDIUM |
| In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662. | |||||
| CVE-2020-36024 | 1 Freedesktop | 1 Poppler | 2025-11-03 | N/A | 5.5 MEDIUM |
| An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function. | |||||
| CVE-2020-36023 | 1 Freedesktop | 1 Poppler | 2025-11-03 | N/A | 6.5 MEDIUM |
| An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function. | |||||
| CVE-2021-30860 | 3 Apple, Freedesktop, Xpdfreader | 7 Ipados, Iphone Os, Mac Os X and 4 more | 2025-10-27 | 6.8 MEDIUM | 7.8 HIGH |
| An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. | |||||