CVE-2026-44019

描述

### Impact In versions `>= 2.5.0, < 2.74.1`, `docling-core` could allow local `file://` image references and accepted inline `data:` content without a decoded-size limit. In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads. ### Patches Patched in `docling-core` `2.74.1`. The fix blocks local file URIs by default and adds a size limit for decoded inline image data. Users should upgrade to: - `docling-core` `>= 2.74.1` ### Workarounds If upgrading is not immediately possible: - reject `file:` and `data:` image references from untrusted input - allow only approved local or remote image sources - apply input size and memory limits to processing workers ### References - Fix release: [`v2.74.1`](https://github.com/docling-project/docling-core/releases/tag/v2.74.1)

如何修補 CVE-2026-44019

要修補 CVE-2026-44019,請將受影響套件升級到下列已修補版本。

• —升級至 2.74.1 或更新版本

CVE-2026-44019 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-44019 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• >= 2.5.0, < 2.74.1

CVSS 分數

參考連結(3)

• PATCHgithub.com/docling-project/docling-core
• WEBgithub.com/docling-project/docling-core/releases/tag/v2.74.1
• WEBgithub.com/docling-project/docling-core/security/advisories/GHSA-j5xp-7m2f-49jv