PT-2026-39617 · Docling · Docling
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-31247
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Docling versions prior to 2.61.1
Description
The JATS XML backend is susceptible to XML Entity Expansion (XXE), a type of attack where an XML parser is tricked into processing entities that expand exponentially. This occurs because the backend utilizes the
etree.parse() function to process XML files without disabling entity resolution. A remote attacker can provide a specially crafted XML file containing a nested entity expansion payload, commonly known as an XML Bomb, which causes excessive resource consumption and leads to a denial of service (DoS) condition.Recommendations
Update to a version later than 2.61.0.
As a temporary workaround, restrict the processing of untrusted XML files by the JATS XML backend until the update is applied.
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Docling