CVE-2026-31248

Name of the Vulnerable Software and Affected Versions Docling versions prior to 2.61.1

Description The METS GBS backend is susceptible to XML Entity Expansion (XXE) attacks. The system extracts and validates XML files from .tar.gz archives using the etree.fromstring() function without disabling entity resolution. A remote attacker can provide a malicious XML file containing nested entity definitions, known as an XML Bomb, within a .tar.gz archive. This causes exponential expansion of entities during parsing, leading to excessive resource consumption and a denial of service (DoS) condition.

Recommendations Update to a version later than 2.61.0.