CVE-2026-44018

Summary

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes. This vulnerability is fixed in 2.91.0.

Affected Software

VendorProductVersion RangeStatus
docling-projectdocling>= 2.45.0, < 2.91.0affected

Weaknesses

  • CWE-409: CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
  • CWE-611: CWE-611: Improper Restriction of XML External Entity Reference
  • CWE-776: CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References