VDB

GCVE-110-OSM-2026-3036

GCVE-110-OSM-2026-3036
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published April 23, 2026
Bug bounty dependency confusion attempt. Package exfiltrates basic system information (hostname, IP, DNS) to security research infrastructure. Behaviors: data exfiltration, code execution, obfuscated code. Payload: tests/scripts/data/commits__version_4_0_1.json Key findings: - Shell Command Execution in pypdf/filters.py: "subprocess.run(" - Data Encoding for Exfiltration in pypdf/generic/_base.py: "binascii.hexlify(" IOCs: - ipv4: 7.4.4.2, 7.7.3.3, 7.7.3.2, 12.7.4.3, 7.3.4.2 (+1 more) - ipv6: 2:: - urls: http://docs.pdfsharp.net, http://www.adobe.com/, https://download.macromedia.com/pub/developer/opentype/tech-notes/Core14_AFMs.zip, https://www.unicode.org/Public/MAPPINGS/VENDORS/ADOBE/symbol.txt, https://www.unicode.org/Public/MAPPINGS/VENDORS/ADOBE/zdingbat.txt (+33 more) - domains: mac-guyver.com, mathieu.fenniak.net, martin-thoma.de, canarytokens.com, docs.pdfsharp.net (+22 more) - emails: switham_github@mac-guyver.com, biziqe@mathieu.fenniak.net, info@martin-thoma.de - binaryHashes: af010636c5a7b4d87c8af9572e474783502402f32654d25bf347e5d56155f7a4 - payloadFileHash: 54a5ab23e91b03e0ae5dd0922793fa1377dc073622f51ed71b61b4e48223ce64

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownpypdf-fork* (affected)

References

advisory
vendor

Browse GCVE Records

72,148 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›