CVE-2026-44018
Published: 26 June 2026
Summary
CVE-2026-44018 is a medium-severity Data Amplification (CWE-409) vulnerability in Docling Docling. Its CVSS base score is 5.5 (Medium).
Operationally, ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-39790
Vulnerability details
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS…
more
archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes. This vulnerability is fixed in 2.91.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.
Limits effects of data amplification from compressed or malicious inputs.
Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.