CVE-2026-44020

Description

### Impact The USPTO patent XML parser used the standard `xml.sax.parseString()` without protection against XML External Entity (XXE) attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could: - Read arbitrary files from the server filesystem - Perform Server-Side Request Forgery (SSRF) attacks - Cause denial of service through entity expansion (Billion Laughs attack) The vulnerability affects three USPTO patent format parsers: ICE (v4.x), Grant v2.5, and Application v1.x. ### Patches Fixed in version 2.74.0. The parser now uses `defusedxml.sax.make_parser()` with secure configuration that blocks external entity resolution (`feature_external_ges=False`, `feature_external_pes=False`) while allowing DTD declarations required by USPTO files. This prevents XXE attacks while maintaining compatibility with the USPTO XML format. ### Workarounds Avoid processing USPTO patent XML files from untrusted sources. Implement resource limits (memory, CPU time) when processing patent documents. ### References - Fix release: [v2.74.0](https://github.com/docling-project/docling/releases/tag/v2.74.0)

How to fix CVE-2026-44020

To remediate CVE-2026-44020, upgrade the affected package to a fixed version below.

• —upgrade to 2.74.0 or later

Is CVE-2026-44020 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-44020.

Affected packages (1)

• >= 2.13.0, < 2.74.0

CVSS scores

References (3)

• PATCHgithub.com/docling-project/docling
• WEBgithub.com/docling-project/docling/releases/tag/v2.74.0
• WEBgithub.com/docling-project/docling/security/advisories/GHSA-m88r-rg27-5xfg