XML External Entity Vulnerability in Docling Document Processing from Vendor Docling
CVE-2026-44020

7.5HIGH

Key Information:

Vendor: Docling-project
Status: Docling
Vendor: CVE Published:; 24 June 2026

🔔 Create Docling-project Vulnerability Alert

What is CVE-2026-44020?

The vulnerability allows attackers to exploit the USPTO patent XML parser in context of Docling, leading to potential reading of arbitrary files, Server-Side Request Forgery (SSRF) attacks, and denial of service through entity expansion. This security flaw affects versions of Docling from 2.13.0 to 2.74.0 and can be mitigated by upgrading to version 2.74.0.

Affected Version(s)

docling >= 2.13.0, < 2.74.0

References

https://github.com/docling-project/docling/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-44020 Data

JSON