AIKIDO-2026-10270
docling is vulnerable to XML External Entity (XXE) Attack
85
High Risk
This Affects:
doclingTL;DR
Affected versions of this package are vulnerable to XML external entity (XXE) and related injection attacks when parsing certain XML-based document formats. Without proper safeguards, crafted XML input may include external entity references that can cause the parser to disclose local files, perform SSRF lookups, or otherwise expose unintended data during document processing. This can lead to sensitive information exposure or application instability if untrusted documents are processed. The issue is fixed by hardening the XML parsing logic to disable unsafe entity resolution and sanitize XML input, preventing external entity expansion and related attack vectors.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
docling is vulnerable to XML External Entity (XXE) Attack in versions 2.13.0 - 2.73.1.
How to fix this
Upgrade the docling library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant