CVE-2026-44019 PUBLISHED

Docling Core has insufficient validation of image reference URIs

Assigner: GitHub_M
Reserved: 04.05.2026 Published: 16.07.2026 Updated: 16.07.2026

Docling Core defines core data types and transformations for the document processing application Docling. In versions 2.5.0 and above, prior to 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads. This issue has been fixed in version 2.74.1.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CVSS Score: 8.1

Product Status

Vendor docling-project
Product docling-core
Versions
  • Version >= 2.5.0, < 2.74.1 is affected

References

Problem Types

  • CWE-73: External Control of File Name or Path CWE
  • CWE-400: Uncontrolled Resource Consumption CWE