Skip to main content

VectifyAI PageIndex CVE-2026-8318

| EUVDEUVD-2026-29201 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-05-11 VulDB GHSA-fp52-pxf6-37vh
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 11, 2026 - 19:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
May 11, 2026 - 19:00 vuln.today
CVE Published
May 11, 2026 - 18:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A security flaw has been discovered in VectifyAI PageIndex up to f50e52975313c6716c02b20a119577a1929decba. Affected by this vulnerability is the function toc_transformer of the file pageindex/page_index.py of the component PDF Table of Contents Handler. The manipulation results in infinite loop. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases.

AnalysisAI

VectifyAI PageIndex up to commit f50e52975313c6716c02b20a119577a1929decba allows remote unauthenticated denial-of-service attacks through an infinite loop vulnerability in the PDF Table of Contents handler. The toc_transformer function in pageindex/page_index.py can be triggered remotely without authentication, causing the application to hang and become unresponsive. Public exploit code is available, increasing real-world attack likelihood.

Technical ContextAI

The vulnerability exists in the toc_transformer function of the PDF Table of Contents (TOC) Handler component, a critical module that processes table of contents data during PDF parsing and indexing. The root cause is classified as CWE-835 (Infinite Loop), which occurs when the toc_transformer function fails to properly validate input or establish termination conditions when processing crafted PDF structures. An attacker can supply malformed TOC data that triggers unbounded iteration, exhausting application resources without causing a crash-a classic denial-of-service vector against web-accessible services. VectifyAI PageIndex operates on a rolling release basis without versioned releases, making affected versions difficult to track beyond the specific commit hash provided.

RemediationAI

Update VectifyAI PageIndex to a commit after f50e52975313c6716c02b20a119577a1929decba. Because the product uses rolling releases, monitor the GitHub repository (https://github.com/VectifyAI/PageIndex/) for a fix commit that addresses the infinite loop in toc_transformer and apply it immediately. As a temporary compensating control pending patching, implement strict request timeouts on all PDF processing operations (e.g., 30-second limit for TOC parsing) to force early termination of hung requests-this prevents cascading resource exhaustion but may result in failed document processing for complex PDFs. Additionally, restrict network access to PageIndex endpoints using IP allowlisting or WAF rules if the service is exposed; rate-limiting requests to the TOC handler can reduce attack volume but will not prevent determined attackers given AC:L complexity. Monitor application logs for repeated timeout events or hung processes, which may indicate exploitation attempts.

Share

CVE-2026-8318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy