CVE-2026-31247

Published: Mag 11, 2026 Last Modified: Mag 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

Description

AI Translation Available

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload (XML Bomb). When processed by Docling, the exponential expansion of entities leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

https://github.com/docling-project/docling

https://www.notion.so/CVE-2026-31247-35d1e1393188818fa654c1…

https://www.notion.so/CVE-2026-31247-35d1e1393188818fa654c116c6a470bb

CVE-2026-31247

Description

Iscriviti alla newsletter