GHSA-jmmv-h3mp-59v8

Source

https://github.com/advisories/GHSA-jmmv-h3mp-59v8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jmmv-h3mp-59v8/GHSA-jmmv-h3mp-59v8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jmmv-h3mp-59v8

Aliases

CVE-2026-44023

Published

2026-06-03T21:16:25Z

Modified

2026-06-03T21:30:07.046484992Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

Docling Core: Unsafe remote filename resolution

Details

Impact

In versions >= 1.5.0, < 2.74.1, docling-core did not sufficiently restrict remote request destinations and could resolve a server-provided Content-Disposition to a local path in an unsafe manner.

In applications that accept untrusted URLs, this could allow SSRF attacks targeting local files outside the user-defined cache directory.

Patches

Patched in docling-core 2.74.1. The fix adds stricter validation for remote destinations and normalizes server-provided filenames before use.

Users should upgrade to: - docling-core >= 2.74.1

Workarounds

If upgrading is not immediately possible, avoid passing untrusted URLs into remote fetch functionality.

References

Fix release: v2.74.1

Database specific

{
    "github_reviewed_at": "2026-06-03T21:16:25Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-22",
        "CWE-918"
    ],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

PyPI / docling-core

Package

Name: docling-core; View open source insights on deps.dev
Purl: pkg:pypi/docling-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

2.74.1

Affected versions

1.*

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.7.1

1.7.2

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.6.1

2.7.0

2.7.1

2.8.0

2.9.0

2.10.0

2.11.0

2.12.0

2.12.1

2.13.0

2.13.1

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.18.0

2.18.1

2.19.0

2.19.1

2.20.0

2.21.0

2.21.1

2.21.2

2.22.0

2.23.0

2.23.1

2.23.2

2.23.3

2.24.0

2.24.1

2.25.0

2.26.0

2.26.1

2.26.2

2.26.3

2.26.4

2.27.0

2.28.0

2.28.1

2.29.0

2.30.0

2.30.1

2.31.0

2.31.1

2.31.2

2.32.0

2.33.0

2.33.1

2.34.0

2.34.1

2.34.2

2.35.0

2.36.0

2.37.0

2.38.0

2.38.1

2.38.2

2.39.0

2.40.0

2.41.0

2.42.0

2.43.0

2.43.1

2.44.0

2.44.1

2.44.2

2.45.0

2.46.0

2.47.0

2.48.0

2.48.1

2.48.2

2.48.3

2.48.4

2.49.0

2.50.0

2.50.1

2.51.0

2.51.1

2.52.0

2.53.0

2.54.0

2.54.1

2.55.0

2.56.0

2.57.0

2.58.0

2.58.1

2.59.0

2.60.0

2.60.1

2.60.2

2.61.0

2.62.0

2.63.0

2.64.0

2.65.0

2.65.1

2.65.2

2.66.0

2.67.0

2.67.1

2.68.0

2.69.0

2.70.0

2.70.1

2.70.2

2.71.0

2.72.0

2.73.0

2.74.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-jmmv-h3mp-59v8/GHSA-jmmv-h3mp-59v8.json"