CVE-2026-44019
Docling Core has insufficient validation of image reference URIs
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
Docling Core defines core data types and transformations for the document processing application Docling. In versions 2.5.0 and above, prior to 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads. This issue has been fixed in version 2.74.1.
| CWE | CWE-73 CWE-400 |
| Vendor | docling-project |
| Product | docling-core |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for docling-project docling-core
Be the first to know when new high vulnerabilities affecting docling-project docling-core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Affected Versions
docling-project / docling-core
>= 2.5.0, < 2.74.1