CVE-2026-44019: Docling Core: Insufficient validation of image reference URIs

June 3, 2026

In versions >= 2.5.0, < 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit.

In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads.

References

github.com/advisories/GHSA-j5xp-7m2f-49jv
github.com/docling-project/docling-core/releases/tag/v2.74.1
github.com/docling-project/docling-core/security/advisories/GHSA-j5xp-7m2f-49jv
nvd.nist.gov/vuln/detail/CVE-2026-44019

Code Behaviors & Features

Detect and mitigate CVE-2026-44019 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →