๐Ÿ” CVE Alert

CVE-2026-44019

HIGH 8.1

Docling Core has insufficient validation of image reference URIs

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

Docling Core defines core data types and transformations for the document processing application Docling. In versions 2.5.0 and above, prior to 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads. This issue has been fixed in version 2.74.1.

CWE CWE-73 CWE-400
Vendor docling-project
Product docling-core
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for docling-project docling-core

Be the first to know when new high vulnerabilities affecting docling-project docling-core are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Affected Versions

docling-project / docling-core
>= 2.5.0, < 2.74.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/docling-project/docling-core/security/advisories/GHSA-j5xp-7m2f-49jv github.com: https://github.com/docling-project/docling-core/releases/tag/v2.74.1