CVE-2026-44020: Docling: Unsafe XML Entity Expansion in USPTO Patent Backend

June 3, 2026

The USPTO patent XML parser used the standard xml.sax.parseString() without protection against XML External Entity (XXE) attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could:

Read arbitrary files from the server filesystem
Perform Server-Side Request Forgery (SSRF) attacks
Cause denial of service through entity expansion (Billion Laughs attack)

The vulnerability affects three USPTO patent format parsers: ICE (v4.x), Grant v2.5, and Application v1.x.

References

github.com/advisories/GHSA-m88r-rg27-5xfg
github.com/docling-project/docling/releases/tag/v2.74.0
github.com/docling-project/docling/security/advisories/GHSA-m88r-rg27-5xfg
nvd.nist.gov/vuln/detail/CVE-2026-44020

Code Behaviors & Features

Detect and mitigate CVE-2026-44020 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →