{"data":{"id":"5ec03d24-c062-451b-8577-15dc864bcea5","title":"CVE-2026-44017: Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecos","summary":"Docling is a tool that processes documents in different formats and connects with AI systems. Before version 2.91.0, it had a security flaw where it downloaded AI models (EasyOCR) and extracted compressed files (ZIP archives) without checking if the file paths were safe, allowing a Zip Slip attack (a technique where specially crafted archive files extract to unintended locations). If an attacker could intercept or compromise the model download, they could write malicious files anywhere on the system, potentially taking complete control of it.","solution":"Update to Docling version 2.91.0 or later. The vulnerability is fixed in 2.91.0.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-44017","publishedAt":"2026-06-24T18:17:17.337Z","cveId":"CVE-2026-44017","cweIds":["CWE-22"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Docling"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"network","attackComplexity":"high","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-24T18:17:17.337Z","capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}