CVE-2026-31247

HIGH

Docling JATS XML Backend thru 2.61.0 - XML Entity Expansion Denial of Service

Title source: manual

Description

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload (XML Bomb). When processed by Docling, the exponential expansion of entities leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

References (2)

Core 2

Core References

https://github.com/docling-project/docling

https://www.notion.so/CVE-2026-31247-35d1e1393188818fa654c116c6a470bb

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (1)

pypi/docling 0 - 2.61.0PyPI

Published May 11, 2026

Tracked Since May 11, 2026