aikido.dev Secure My Code

Intel/AIKIDO-2026-10938

AIKIDO-2026-10938

pypdf is vulnerable to Excessive Iteration

Excessive IterationCVE-2026-48156 Published Yesterday

53

Medium Risk

This Affects:

PYTHON

0.0.1 - 6.11.0

Fixed in 6.12.0

Are you affected? Scan for Free

TL;DR

When pypdf parses PDF 1.5 cross-reference streams, _sanitize_pdf15_xref_stream_index_pairs treated zero-only /W width arrays as a minimum entry size of one byte. A crafted PDF can combine /W [0 0 0] with a very large /Size so opening the file drives excessive iteration over xref entries. Before the fix, processing such a PDF could hang or run for a long time in non-strict mode. The fix rejects zero-only /W values and stops xref parsing instead of iterating over bogus entry counts.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

pypdf is vulnerable to Excessive Iteration in versions 0.0.1 - 6.11.0.

How to fix this

Upgrade the pypdf library to the patch version.

53

Medium Risk

This Affects:

PYTHON

0.0.1 - 6.11.0

Fixed in 6.12.0

Are you affected? Scan for Free

Links

github.com/py-pdf/pypdf/releases/tag/6.12.0

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Free. No credit card required.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done