CVE-2026-44018: Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

June 3, 2026

The METS-GBS backend’s XML parsing and the input document format detection lacked security controls, enabling:

XML External Entity (XXE) attacks to read local files or cause denial of service
Decompression bombs (zip bombs) to exhaust memory and disk space
Unbounded archive extraction consuming system resources

An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.

References

github.com/advisories/GHSA-r3xg-rg9j-67fv
github.com/docling-project/docling/releases/tag/v2.91.0
github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv
nvd.nist.gov/vuln/detail/CVE-2026-44018

Code Behaviors & Features

Detect and mitigate CVE-2026-44018 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →