XML Parsing Vulnerability in Docling from Document Processing Vendor
CVE-2026-44018

5.5MEDIUM

Key Information:

Vendor: Docling-project
Status: Docling
Vendor: CVE Published:; 26 June 2026

🔔 Create Docling-project Vulnerability Alert

What is CVE-2026-44018?

The vulnerability in Docling's METS-GBS backend arises from insufficient security controls in XML parsing and document format detection from versions 2.45.0 to 2.91.0. This flaw allows an attacker to create harmful METS-GBS archives, which can lead to exposure of sensitive files, depletion of system resources, or crashes of the application. Users are strongly advised to update to version 2.91.0 or later to mitigate these risks.

Affected Version(s)

docling >= 2.45.0, < 2.91.0

References

https://github.com/docling-project/docling/security/advis...

x_refsource_CONFIRM

https://github.com/docling-project/docling/releases/tag/v...

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-44018 Data

JSON