CVE-2026-44018

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes. This vulnerability is fixed in 2.91.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:docling:docling:*:*:*:*:*:python:*:*

History

27 Jun 2026, 20:25

Type Values Removed Values Added
References () https://github.com/docling-project/docling/releases/tag/v2.91.0 - () https://github.com/docling-project/docling/releases/tag/v2.91.0 - Release Notes
References () https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv - () https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv - Patch, Vendor Advisory
CPE cpe:2.3:a:docling:docling:*:*:*:*:*:python:*:*
First Time Docling
Docling docling

26 Jun 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-26 16:16

Updated : 2026-06-27 20:25


NVD link : CVE-2026-44018

Mitre link : CVE-2026-44018

CVE.ORG link : CVE-2026-44018


JSON object : View

Products Affected

docling

  • docling
CWE
CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

CWE-611

Improper Restriction of XML External Entity Reference

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')