CVE-2026-44022: Docling: Potential Path Traversal via LaTeX \includegraphics and \input Commands

June 3, 2026

The LaTeX backend’s handling of \includegraphics, \input, and \include commands lacked path containment validation. Attackers could craft malicious LaTeX documents with path traversal sequences (e.g., ../../../etc/passwd) to:

Read arbitrary files from the file system accessible to the process
Include sensitive files in the converted document output
Potentially access configuration files, credentials, or other sensitive data

References

github.com/advisories/GHSA-2j5p-7p5m-cvqr
github.com/docling-project/docling/releases/tag/v2.91.0
github.com/docling-project/docling/security/advisories/GHSA-2j5p-7p5m-cvqr
nvd.nist.gov/vuln/detail/CVE-2026-44022

Code Behaviors & Features

Detect and mitigate CVE-2026-44022 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →