GHSA-j5xp-7m2f-49jv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j5xp-7m2f-49jv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-j5xp-7m2f-49jv/GHSA-j5xp-7m2f-49jv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j5xp-7m2f-49jv
- Aliases
-
- CVE-2026-44019
- Published
- 2026-06-03T21:15:31Z
- Modified
- 2026-06-03T21:30:07.087189597Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- Docling Core: Insufficient validation of image reference URIs
- Details
-
Impact
In versions
>= 2.5.0, < 2.74.1,docling-corecould allow localfile://image references and accepted inlinedata:content without a decoded-size limit.In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads.
Patches
Patched in
docling-core2.74.1. The fix blocks local file URIs by default and adds a size limit for decoded inline image data.Users should upgrade to: -
docling-core>= 2.74.1Workarounds
If upgrading is not immediately possible: - reject
file:anddata:image references from untrusted input - allow only approved local or remote image sources - apply input size and memory limits to processing workersReferences
- Fix release:
v2.74.1
- Fix release:
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-400", "CWE-73" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-06-03T21:15:31Z" }- References
Affected packages
PyPI / docling-core
Package
- Name
- docling-core
- View open source insights on deps.dev
- Purl
- pkg:pypi/docling-core
Affected versions
2.*
2.5.0
2.5.1
2.6.0
2.6.1
2.7.0
2.7.1
2.8.0
2.9.0
2.10.0
2.11.0
2.12.0
2.12.1
2.13.0
2.13.1
2.14.0
2.15.0
2.15.1
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.19.0
2.19.1
2.20.0
2.21.0
2.21.1
2.21.2
2.22.0
2.23.0
2.23.1
2.23.2
2.23.3
2.24.0
2.24.1
2.25.0
2.26.0
2.26.1
2.26.2
2.26.3
2.26.4
2.27.0
2.28.0
2.28.1
2.29.0
2.30.0
2.30.1
2.31.0
2.31.1
2.31.2
2.32.0
2.33.0
2.33.1
2.34.0
2.34.1
2.34.2
2.35.0
2.36.0
2.37.0
2.38.0
2.38.1
2.38.2
2.39.0
2.40.0
2.41.0
2.42.0
2.43.0
2.43.1
2.44.0
2.44.1
2.44.2
2.45.0
2.46.0
2.47.0
2.48.0
2.48.1
2.48.2
2.48.3
2.48.4
2.49.0
2.50.0
2.50.1
2.51.0
2.51.1
2.52.0
2.53.0
2.54.0
2.54.1
2.55.0
2.56.0
2.57.0
2.58.0
2.58.1
2.59.0
2.60.0
2.60.1
2.60.2
2.61.0
2.62.0
2.63.0
2.64.0
2.65.0
2.65.1
2.65.2
2.66.0
2.67.0
2.67.1
2.68.0
2.69.0
2.70.0
2.70.1
2.70.2
2.71.0
2.72.0
2.73.0
2.74.0