What happened
Three separate vulnerabilities were published for Docling on 2026-06-24. CVE-2026-44016 (CVSS 8.2): the optional Playwright HTML renderer fetches attacker-controlled URLs server-side without SSRF protection. CVE-2026-44017 (CVSS 7.5): EasyOCR model download extracts ZIP archives without path validation, enabling path traversal write. CVE-2026-44020 (CVSS 7.5): the USPTO patent XML parser uses xml.sax.parseString() without XXE protection, allowing file read and SSRF from malicious XML.
Why it matters
Docling is IBM's flagship document processing library for generative AI and RAG pipelines, with integrations across the AI ecosystem. Documents ingested into RAG systems are inherently untrusted; these bugs let a malicious document escape the parsing sandbox, read server files, reach internal networks, or overwrite model files — turning the RAG ingestion pipeline into an attack vector.
Attack vector
(CVE-2026-44016) Malicious HTML document triggers SSRF via Playwright-based renderer when HTML backend is enabled; (CVE-2026-44017) Compromised EasyOCR model ZIP archive extracts files outside the target directory (Zip Slip); (CVE-2026-44020) Crafted USPTO patent XML document exploits XXE to read local files or perform SSRF
Affected systems
Docling: CVE-2026-44016 affects 2.82.0–2.90.x; CVE-2026-44017 affects < 2.91.0; CVE-2026-44020 affects 2.13.0–2.73.x
Mitigation
Upgrade to Docling 2.91.0 for all three CVEs. Release: https://github.com/docling-project/docling/releases/tag/v2.91.0 ; XXE advisory: https://github.com/docling-project/docling/security/advisories/GHSA-m88r-rg27-5xfg