Lucene search
K

15 matches found

RedhatCVE
RedhatCVE
added 2026/07/01 4:43 a.m.8 views

CVE-2026-44018

A flaw was found in Docling, a tool for document processing. The METS-GBS backend, responsible for parsing XML and detecting document formats, lacked sufficient security controls. This allowed an attacker to create specially crafted METS-GBS archives. When these archives were processed, they coul...

7.1CVSS5.8AI score0.00113EPSS
Exploits0References5
NVD
NVD
added 2026/06/26 4:16 p.m.9 views

CVE-2026-44018

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS...

7.1CVSS0.00113EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/26 3:40 p.m.40 views

CVE-2026-44018 Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS...

5.5CVSS0.00113EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/26 3:40 p.m.6 views

CVE-2026-44018

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS...

5.5CVSS5.8AI score0.00113EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/26 3:40 p.m.28 views

CVE-2026-44018

CVE-2026-44018 affects Docling’s METS-GBS backend. From versions 2.45.0 through 2.91.0, XML parsing and input document format detection lacked security controls, enabling crafted METS-GBS archives to read sensitive files, exhaust resources, or crash the application. The issue is fixed in 2.91.0. ...

7.1CVSS5.8AI score0.00113EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/03 9:13 p.m.12 views

GHSA-R3XG-RG9J-67FV Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

5.5CVSS5.8AI score0.00113EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/03 9:13 p.m.14 views

Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

7.1CVSS5.8AI score0.00113EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/06/03 9:13 p.m.11 views

XML External Entity Injection

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to XML External Entity Injection in the METS-GBS backend's XML parsing and...

7.1CVSS5.5AI score0.00113EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.17 views

PT-2026-46120

Name of the Vulnerable Software and Affected Versions Docling versions 2.45.0 through 2.90.0 Description The METS-GBS backend's XML parsing and input document format detection lack security controls. This allows for XML External Entity XXE attacks, which occur when an XML parser improperly handle...

7.1CVSS5.8AI score0.00113EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.19 views

PT-2026-46105

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

5.5CVSS5.8AI score
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.10 views

CVE-2026-31248

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References1
OSV
OSV
added 2026/05/11 6:31 p.m.10 views

GHSA-9F4Q-Q82Q-4359 Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References3
NVD
NVD
added 2026/05/11 5:16 p.m.15 views

CVE-2026-31248

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

7.5CVSS0.00278EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/11 12:0 a.m.10 views

CVE-2026-31248

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

5.8AI score0.00278EPSS
Exploits0References2
CVE
CVE
added 2026/05/11 12:0 a.m.26 views

CVE-2026-31248

CVE-2026-31248 affects Docling's METS GBS backend up to version 2.61.0. The backend parses XML from .tar.gz archives using etree.fromstring() without disabling entity resolution, enabling XML Entity Expansion (XXE) via nested entity definitions (XML Bomb). Processing such a crafted XML can cause ...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References2
Rows per page
Query Builder