Lucene search
K

97 matches found

Snyk
Snyk
added 2026/06/03 9:14 p.m.14 views

XML Entity Expansion

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to XML Entity Expansion in backend/xml/usptobackend.py‎'s use of parseStrin...

9.4CVSS5.5AI score0.00334EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/03 9:14 p.m.8 views

haiku-rag (>=0.19.2 <=0.33.0), iatoolkit (>=1.40.0 <=1.42.0) +19 more potentially affected by CVE-2026-44020 via docling (>=2.17.0 <=2.73.1)

docling PYPI version =2.17.0, =0.19.2, =1.40.0, =0.1.0, =0.2.1, =0.6.1, =0.4.0, =1.0.0, =0.1.29, =0.3.1, =0.10.0, =0.2.1, =0.2.6 and more Source cves: CVE-2026-44020 Source advisory: SNYK:PYTHON-DOCLING-17151850...

9.4CVSS5.7AI score0.00334EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/03 9:14 p.m.7 views

haiku-rag (>=0.19.2 <=0.33.0), iatoolkit (>=1.40.0 <=1.42.0) +19 more potentially affected by CVE-2026-44020 via docling (>=2.17.0 <=2.73.1)

docling PYPI version =2.17.0, =0.19.2, =1.40.0, =0.1.0, =0.2.1, =0.6.1, =0.4.0, =1.0.0, =0.1.29, =0.3.1, =0.10.0, =0.2.1, =0.2.6 and more Source cves: CVE-2026-44020 Source advisory: OSV:GHSA-M88R-RG27-5XFG...

9.4CVSS5.7AI score0.00334EPSS
Exploits0
Snyk
Snyk
added 2026/06/03 9:13 p.m.11 views

XML External Entity Injection

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to XML External Entity Injection in the METS-GBS backend's XML parsing and...

7.1CVSS5.5AI score0.00113EPSS
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/06/03 9:13 p.m.7 views

auto-survey (>=0.1.0 <=0.2.5), gptparse (=0.3.0) +12 more potentially affected by CVE-2026-44018 via docling (>=2.51.0 <=2.90.0)

docling PYPI version =2.51.0, =0.1.0, =0.19.2, =1.40.0, =0.6.2, =0.0.1, =0.3.0, =1.0.0, =1.6.2, =1.6.2, =0.2.4, =0.0.1, =0.0.2 Source cves: CVE-2026-44018 Source advisory: SNYK:PYTHON-DOCLING-17151841...

7.1CVSS5.7AI score0.00113EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/03 9:13 p.m.7 views

auto-survey (>=0.1.0 <=0.2.5), gptparse (=0.3.0) +12 more potentially affected by CVE-2026-44018 via docling (>=2.51.0 <=2.90.0)

docling PYPI version =2.51.0, =0.1.0, =0.19.2, =1.40.0, =0.6.2, =0.0.1, =0.3.0, =1.0.0, =1.6.2, =1.6.2, =0.2.4, =0.0.1, =0.0.2 Source cves: CVE-2026-44018 Source advisory: OSV:GHSA-R3XG-RG9J-67FV...

7.1CVSS5.7AI score0.00113EPSS
Exploits0
Snyk
Snyk
added 2026/06/03 9:9 p.m.11 views

Server-side Request Forgery (SSRF)

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the HTML rendering process when the...

8.2CVSS5.8AI score0.00384EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/03 9:9 p.m.6 views

auto-survey (>=0.1.0 <=0.2.5), gptparse (=0.3.0) +5 more potentially affected by CVE-2026-44016 via docling (>=2.87.0 <=2.90.0)

docling PYPI version =2.87.0, =0.1.0, =0.40.0, =0.6.2, =0.0.1, =0.0.1, =0.0.2 Source cves: CVE-2026-44016 Source advisory: OSV:GHSA-PJ2V-GGQH-CMQ2...

8.2CVSS5.7AI score0.00384EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/03 9:9 p.m.7 views

auto-survey (>=0.1.0 <=0.2.5), gptparse (=0.3.0) +5 more potentially affected by CVE-2026-44016 via docling (>=2.87.0 <=2.90.0)

docling PYPI version =2.87.0, =0.1.0, =0.40.0, =0.6.2, =0.0.1, =0.0.1, =0.0.2 Source cves: CVE-2026-44016 Source advisory: SNYK:PYTHON-DOCLING-17151857...

8.2CVSS5.7AI score0.00384EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/06/03 8:2 p.m.8 views

agent-context-packager (>=0.3.0 <=0.3.3), agentcrew-ai (>=0.6.0 <=0.6.11.post2) +236 more potentially affected by CVE-2026-44017 via docling (>=1.11.0 <=2.90.0)

docling PYPI version =1.11.0, =0.3.0, =0.6.0, =0.1.4, =0.3.2, =0.2.5, =0.4.0, =0.2.0, =26.5.333, =0.0.2, =0.1.0, =1.0.3, =1.0.0, =1.0.3 and more Source cves: CVE-2026-44017 Source advisory: OSV:GHSA-CJQG-RQ2H-2FVJ...

8.3CVSS5.7AI score0.00478EPSS
Exploits0
Snyk
Snyk
added 2026/06/03 8:2 p.m.11 views

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip in easyocrmodel.py...

8.3CVSS6.1AI score0.00478EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.16 views

PT-2026-46123

Name of the Vulnerable Software and Affected Versions docling-core versions 1.5.0 through 2.74.0 Description The software does not sufficiently restrict remote request destinations and can resolve a server-provided Content-Disposition to a local path in an unsafe manner. In applications that acce...

8.6CVSS5.8AI score0.00055EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.13 views

PT-2026-45850

Name of the Vulnerable Software and Affected Versions docling-core versions 2.5.0 through 2.74.0 Description Insufficient input sanitization when processing specific documents allows for path traversal, enabling remote attackers to read arbitrary files from the host server. The software allows...

8.1CVSS5.9AI score0.0004EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/14 4:56 p.m.39 views

CVE-2026-44520 Docling-Graph: SSRF via Missing Internal IP Validation in URLInputHandler

Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in doclinggraph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the...

5.7CVSS0.00188EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.9 views

Docling Graph 输入验证错误漏洞

Docling Graph is a structured data processing tool developed by the Docling Project, which converts document content into knowledge graphs. Versions of Docling Graph prior to 1.5.1 contained a vulnerability related to input validation errors. This vulnerability stemmed from the lack of validation...

5.7CVSS5.8AI score0.00188EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.11 views

CVE-2026-31247

Docling's JATS XML backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend uses etree.parse to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload XML Bomb. When processed by Doclin...

7.5CVSS5.8AI score0.00351EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.10 views

CVE-2026-31248

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/05/11 6:31 p.m.16 views

agent-context-packager (>=0.3.0 <=0.3.3), agentcrew-ai (>=0.6.0 <=0.6.11.post2) +229 more potentially affected by CVE-2026-31248 via docling (>=1.11.0 <=2.55.0)

docling PYPI version =1.11.0, =0.3.0, =0.6.0, =0.1.4, =0.3.2, =0.2.5, =0.4.0, =0.2.0, =26.5.333, =0.0.2, =1.0.3, =1.0.0, =1.0.3 - bidkit-parser =0.1.0 and more Source cves: CVE-2026-31248 Source advisory: OSV:GHSA-9F4Q-Q82Q-4359...

7.5CVSS5.7AI score0.00278EPSS
Exploits0
OSV
OSV
added 2026/05/11 6:31 p.m.10 views

GHSA-9F4Q-Q82Q-4359 Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References3
OSV
OSV
added 2026/05/11 6:31 p.m.9 views

GHSA-CR42-RG2M-MQ4Q Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's JATS XML backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend uses etree.parse to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload XML Bomb. When processed by Doclin...

7.5CVSS5.8AI score0.00351EPSS
Exploits0References3
Rows per page
Query Builder