Docling JATS XML Backend XML Entity Expansion Vulnerability Allowing Denial-of-Service

Vulnerability

A vulnerability allowing XML Entity Expansion (XXE) attacks has been identified in Docling's JATS XML backend, affecting versions through 2.61.0. The issue arises because the backend uses etree.parse() to process XML files without disabling entity resolution. This oversight allows an attacker to create a malicious XML file with a nested entity expansion payload, known as an XML Bomb. When Docling processes this file, the exponential growth of entities leads to excessive resource consumption, causing a denial-of-service (DoS) condition on the system running the Docling parser.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing excessive resource consumption on the affected system.

Added: May 11, 2026, 4:49 PM

Updated: May 11, 2026, 4:49 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.3

remediation

0.0

relevance

8.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.3

remediation

0.0

relevance

8.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Docling JATS XML Backend XML Entity Expansion Vulnerability Allowing Denial-of-Service

Vulnerability

Impact

Affected Products

Docling

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating