CVE-2026-44020

描述

### Impact The USPTO patent XML parser used the standard `xml.sax.parseString()` without protection against XML External Entity (XXE) attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could: - Read arbitrary files from the server filesystem - Perform Server-Side Request Forgery (SSRF) attacks - Cause denial of service through entity expansion (Billion Laughs attack) The vulnerability affects three USPTO patent format parsers: ICE (v4.x), Grant v2.5, and Application v1.x. ### Patches Fixed in version 2.74.0. The parser now uses `defusedxml.sax.make_parser()` with secure configuration that blocks external entity resolution (`feature_external_ges=False`, `feature_external_pes=False`) while allowing DTD declarations required by USPTO files. This prevents XXE attacks while maintaining compatibility with the USPTO XML format. ### Workarounds Avoid processing USPTO patent XML files from untrusted sources. Implement resource limits (memory, CPU time) when processing patent documents. ### References - Fix release: [v2.74.0](https://github.com/docling-project/docling/releases/tag/v2.74.0)

如何修補 CVE-2026-44020

要修補 CVE-2026-44020,請將受影響套件升級到下列已修補版本。

• —升級至 2.74.0 或更新版本

CVE-2026-44020 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-44020 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• >= 2.13.0, < 2.74.0

CVSS 分數

參考連結(3)

• PATCHgithub.com/docling-project/docling
• WEBgithub.com/docling-project/docling/releases/tag/v2.74.0
• WEBgithub.com/docling-project/docling/security/advisories/GHSA-m88r-rg27-5xfg