CVE-2026-44020: Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecos
Summary
Docling is a tool that reads different document formats and connects them to AI systems. Versions 2.13.0 through 2.74.0 had a security flaw in how they read USPTO patent XML files (XML, a format for storing structured data): they didn't protect against XXE attacks (XML External Entity attacks, where specially crafted files trick the parser into reading files from the server or making unwanted network requests). An attacker could use this flaw to steal files, perform SSRF attacks (server-side request forgery, making the server request data it shouldn't), or crash the system.
Solution / Mitigation
This vulnerability is fixed in version 2.74.0.
Vulnerability Details
7.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
network
low
none
none
June 24, 2026
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44020
First tracked: June 25, 2026 at 08:22 AM
Classified by LLM (prompt v3) · confidence: 85%