CVE-2026-44019
8.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Summary
Docling Core defines core data types and transformations for the document processing application Docling. In versions 2.5.0 and above, prior to 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads. This issue has been fixed in version 2.74.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| docling-project | docling-core | >= 2.5.0, < 2.74.1 | affected |
Weaknesses
- CWE-73: CWE-73: External Control of File Name or Path
- CWE-400: CWE-400: Uncontrolled Resource Consumption
References
- https://github.com/docling-project/docling-core/security/advisories/GHSA-j5xp-7m2f-49jv
- https://github.com/docling-project/docling-core/releases/tag/v2.74.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.