{"data":{"id":"4cc3e61d-030c-4191-89a2-62bd2560f6a0","title":"CVE-2026-44020: Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecos","summary":"Docling is a tool that reads different document formats and connects them to AI systems. Versions 2.13.0 through 2.74.0 had a security flaw in how they read USPTO patent XML files (XML, a format for storing structured data): they didn't protect against XXE attacks (XML External Entity attacks, where specially crafted files trick the parser into reading files from the server or making unwanted network requests). An attacker could use this flaw to steal files, perform SSRF attacks (server-side request forgery, making the server request data it shouldn't), or crash the system.","solution":"This vulnerability is fixed in version 2.74.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-44020","publishedAt":"2026-06-24T18:17:17.467Z","cveId":"CVE-2026-44020","cweIds":["CWE-776"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["data_extraction","denial_of_service"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Docling"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-24T18:17:17.467Z","capecIds":["CAPEC-197"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}