CVE-2026-31247

Published: May 11, 2026

Modified: May 12, 2026

PUBLISHED

Description

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload (XML Bomb). When processed by Docling, the exponential expansion of entities leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/docling-project/docling

https://www.notion.so/CVE-2026-31247-35d1e1393188818fa654c116c6a470bb

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-31247

Description

Affected Products

References