CVE-2026-47214

描述

### Impact The HTML backend did not perform sufficient validation during resource handling: - Accepted `file://` URIs enabling local file system access when `enable_local_fetch=True` - Path resolution allowed traversal outside intended directories via `../` sequences and absolute paths - Did not block internal network resources under `enable_remote_fetch=True` - HTTP redirects were not validated, potentially redirecting to unintended schemes - No resource limits for remote image downloads and `data:` URIs ### Patches Fixed in versions 2.91.0 (initial fixes) and 2.94.0 (additional improvements). The fixes implement: - Updated local path treatment: absolute files always blocked, relative paths require `enable_local_fetch=True` (default: False) and containment within configured `base_path` for path traversal protection - `file://` scheme stripped & treated as local path (above) - IP address validation to prevent SSRF - HTTP redirect validation, connection and read timeouts - Size limit for both remote images (with streaming download) and base64-decoded data URIs ### Workarounds Keep both `enable_local_fetch=False` and `enable_remote_fetch=False` (defaults) when processing untrusted HTML documents. ### References - Initial fixes: [v2.91.0](https://github.com/docling-project/docling/releases/tag/v2.91.0) - Additional improvements: [v2.94.0](https://github.com/docling-project/docling/releases/tag/v2.94.0)

如何修補 CVE-2026-47214

要修補 CVE-2026-47214,請將受影響套件升級到下列已修補版本。

• —升級至 2.94.0 或更新版本

CVE-2026-47214 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47214 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• from 0, < 2.94.0

CVSS 分數

參考連結(4)

• PATCHgithub.com/docling-project/docling
• WEBgithub.com/docling-project/docling/releases/tag/v2.91.0
• WEBgithub.com/docling-project/docling/releases/tag/v2.94.0
• WEBgithub.com/docling-project/docling/security/advisories/GHSA-q29v-xc37-wh5m