Poppler

This hub aggregates every CVE we track for Poppler, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Poppler.

• CVE-2025-52885GHSL-2025-042: Poppler has Use-After-Free7.3Oct 10, 2025
• CVE-2025-43718Poppler 24.06.1 through 25.x before 25.04.0 allows stack consumption and a SIGSEGV via deeply nested structures within the metadata (such as GTS_PDFEVersion) of a PDF document, e.g., a regular expr...2.9Oct 1, 2025
• CVE-2025-50420An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS).6.5Aug 4, 2025
• CVE-2025-50422Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c.2.9Aug 4, 2025
• CVE-2025-52886Poppler Use After Free Vulnerability5.9Jul 2, 2025
• CVE-2025-43903NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.4.3Apr 18, 2025
• CVE-2025-32364A floating-point exception in the PSStack::roll function of Poppler before 25.04.0 can cause an application to crash when handling malformed inputs associated with INT_MIN.4.0Apr 5, 2025
• CVE-2025-32365Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.4.0Apr 5, 2025
• CVE-2024-56378libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.4.3Dec 22, 2024
• CVE-2024-6239Poppler: pdfinfo: crash in broken documents when using -dests parameter7.5Jun 21, 2024
• CVE-2022-38349An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before savin...6.5Aug 22, 2023
• CVE-2022-37051An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.6.5Aug 22, 2023
• CVE-2022-37050In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is misha...6.5Aug 22, 2023
• CVE-2022-37052A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.6.5Aug 22, 2023
• CVE-2020-23804Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.7.5Aug 22, 2023