PT-2026-46098 — Docling-Core

PT-2026-46098 · Pypi · Docling-Core

Published

2026-06-03

Updated

2026-06-03

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Impact

In versions >= 2.5.0, < 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit.

In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads.

Patches

Patched in docling-core 2.74.1. The fix blocks local file URIs by default and adds a size limit for decoded inline image data.

Users should upgrade to:

docling-core >= 2.74.1

Workarounds

If upgrading is not immediately possible:

reject file: and data: image references from untrusted input
allow only approved local or remote image sources
apply input size and memory limits to processing workers

References

Fix release: v2.74.1

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73CWE-400

Related Identifiers

GHSA-J5XP-7M2F-49JV

Affected Products

Docling-Core