Description
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
Published: 2026-06-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Docling’s HTML backend processes URI and file path inputs without adequate validation, permitting an attacker to craft requests that reference files outside the intended directory. This flaw enables reading of files that should be inaccessible through the web interface, potentially exposing sensitive data. The vulnerability is confined to the handling of URIs and paths and does not grant arbitrary code execution or system-wide compromise. Furthermore, the unchecked handling can lead to uncontrolled consumption of system resources, potentially resulting in denial-of-service conditions.

Affected Systems

All releases of the Docling project prior to version 2.94 affected. The issue resides in the HTML backend component, which forms part of the docling-project:docling product family. Users who have exposed that backend to external clients have an operational risk until the issue is addressed.

Risk and Exploitability

The CVSS score of 7.1 categorises the problem as moderate to high severity. EPSS indicates a very low probability of exploitation (< 1%). The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a network‑exposed endpoint of the HTML backend where an attacker can send specially crafted URI or path parameters to traverse directories and retrieve confidential files. Acquisition of privileged local access is not required for exploitation.

Generated by OpenCVE AI on July 16, 2026 at 00:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Docling installation to version 2.94.0 or later to apply the fixed path‑handling logic.
  • If an immediate upgrade is not feasible, limit external exposure of the HTML backend to trusted networks or internal systems only.
  • Implement strict server‑side validation of all URI and path inputs, ensuring they cannot resolve to files outside the intended directory, thereby mitigating the CWE-22 vulnerability.

Generated by OpenCVE AI on July 16, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q29v-xc37-wh5m Docling: Unsafe URI and Path Handling in HTML Backend
History

Thu, 02 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

threat_severity

Important


Fri, 26 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Docling-project
Docling-project docling
Vendors & Products Docling-project
Docling-project docling

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
Title Docling: Unsafe URI and Path Handling in HTML Backend
Weaknesses CWE-400
CWE-73
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L'}


Subscriptions

Docling-project Docling
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:41:52.977Z

Reserved: 2026-05-18T22:25:21.258Z

Link: CVE-2026-47214

cve-icon Vulnrichment

Updated: 2026-06-26T17:50:34.311Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-26T15:45:04Z

Links: CVE-2026-47214 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T00:45:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-73

    External Control of File Name or Path