CVE-2026-44018

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Impact

The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling:

XML External Entity (XXE) attacks to read local files or cause denial of service
Decompression bombs (zip bombs) to exhaust memory and disk space
Unbounded archive extraction consuming system resources

An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.

Patches

Fixed in version 2.91.0. The fix implements:

Secure XML parsing with resolve entities=False, load dtd=False, and no network=True
Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count
Cumulative size tracking across all extractions
Early termination when limits are exceeded
Secure format detection of METS-GBS tar archives with detect mets gbs() method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded

Workarounds

Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.

References

Fix release: v2.91.0

Fix

XML Entity Expansion

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-776CWE-409CWE-611

Related Identifiers

CVE-2026-44018

GHSA-R3XG-RG9J-67FV

Affected Products

Docling

CVE-2026-44018

Impact

Patches

Workarounds

References

Weakness Enumeration

Related Identifiers

Affected Products

References · 4