Description
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HTML backend of Docling improperly processes URI and file path inputs. Before version 2.94.0 this allowed an attacker to craft requests that could resolve to files outside the intended directory or cause the backend to consume large amounts of resources. The documented fix appears in v2.94.0, indicating that the vulnerability could be leveraged to read restricted files or to disrupt service availability.

Affected Systems

All releases of the Docling document–processing project older than 2.94.0 contain the flaw. The project is affected across its HTML backend component; newer releases include a patch that mitigates the unsafe path handling.

Risk and Exploitability

A CVSS score of 7.1 signifies moderate to high severity. No EPSS information is available, and the issue is not listed in CISA’s KEV catalog. Exploitation most likely requires remote access to the HTML backend, for example via exposed network interfaces or APIs, and would enable an attacker to traverse directories or trigger excessive resource use.

Generated by OpenCVE AI on June 26, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official upgrade to Docling v2.94.0 or newer to receive the fixed path handling logic.
  • If an upgrade cannot be performed immediately, restrict inbound traffic to the HTML backend so that only trusted services can reach it, using firewalls or segmentation.
  • Implement strict validation of all incoming URI and file path parameters so that relative or absolute references cannot escape the intended directory boundary, addressing the underlying CWE‑73 weakness.

Generated by OpenCVE AI on June 26, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q29v-xc37-wh5m Docling: Unsafe URI and Path Handling in HTML Backend
History

Fri, 26 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Docling-project
Docling-project docling
Vendors & Products Docling-project
Docling-project docling

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
Title Docling: Unsafe URI and Path Handling in HTML Backend
Weaknesses CWE-400
CWE-73
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L'}

Subscriptions

Docling-project Docling
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:41:52.977Z

Reserved: 2026-05-18T22:25:21.258Z

Link: CVE-2026-47214

cve-icon Vulnrichment

Updated: 2026-06-26T17:50:34.311Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T23:15:08Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-73

    External Control of File Name or Path