CVE-2026-44018

描述

### Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space - Unbounded archive extraction consuming system resources An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes. ### Patches Fixed in version 2.91.0. The fix implements: - Secure XML parsing with `resolve_entities=False`, `load_dtd=False`, and `no_network=True` - Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count - Cumulative size tracking across all extractions - Early termination when limits are exceeded - Secure format detection of METS-GBS tar archives with `_detect_mets_gbs()` method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded ### Workarounds Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits. ### References - Fix release: [v2.91.0](https://github.com/docling-project/docling/releases/tag/v2.91.0)

如何修補 CVE-2026-44018

要修補 CVE-2026-44018,請將受影響套件升級到下列已修補版本。

• —升級至 2.91.0 或更新版本

CVE-2026-44018 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-44018 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• >= 2.45.0, < 2.91.0

CVSS 分數

參考連結(3)

• PATCHgithub.com/docling-project/docling
• WEBgithub.com/docling-project/docling/releases/tag/v2.91.0
• WEBgithub.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv