CVE-2026-44019

Description

### Impact In versions `>= 2.5.0, < 2.74.1`, `docling-core` could allow local `file://` image references and accepted inline `data:` content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads. ### Patches Patched in `docling-core` `2.74.1`. The fix blocks local file URIs by default and adds a size limit for decoded inline image data. Users should upgrade to: - `docling-core` `>= 2.74.1` ### Workarounds If upgrading is not immediately possible: - reject `file:` and `data:` image references from untrusted input - allow only approved local or remote image sources - apply input size and memory limits to processing workers ### References - Fix release: [`v2.74.1`](https://github.com/docling-project/docling-core/releases/tag/v2.74.1)

How to fix CVE-2026-44019

To remediate CVE-2026-44019, upgrade the affected package to a fixed version below.

• —upgrade to 2.74.1 or later

Is CVE-2026-44019 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-44019.

Affected packages (1)

• >= 2.5.0, < 2.74.1

CVSS scores

References (3)

• PATCHgithub.com/docling-project/docling-core
• WEBgithub.com/docling-project/docling-core/releases/tag/v2.74.1
• WEBgithub.com/docling-project/docling-core/security/advisories/GHSA-j5xp-7m2f-49jv