CVE-2026-31247

Name of the Vulnerable Software and Affected Versions Docling versions prior to 2.61.1

Description The JATS XML backend is susceptible to XML Entity Expansion (XXE), a type of attack where an XML parser is tricked into processing entities that expand exponentially. This occurs because the backend utilizes the etree.parse() function to process XML files without disabling entity resolution. A remote attacker can provide a specially crafted XML file containing a nested entity expansion payload, commonly known as an XML Bomb, which causes excessive resource consumption and leads to a denial of service (DoS) condition.

Recommendations Update to a version later than 2.61.0. As a temporary workaround, restrict the processing of untrusted XML files by the JATS XML backend until the update is applied.