CVE-2026-31247
Received Received - Intake
XML Entity Expansion DoS in Docling JATS XML Backend

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: MITRE

Description
Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload (XML Bomb). When processed by Docling, the exponential expansion of entities leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-31247
EUVD
EUVD-2026-29055
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
docling_project docling 2.61.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Docling's JATS XML backend allows an attacker to cause a denial of service (DoS) through XML Entity Expansion (XXE) attacks, leading to excessive resource consumption. While the CVE description does not explicitly mention compliance impacts, such a DoS vulnerability could potentially affect the availability aspect of systems processing sensitive data.

Standards and regulations like GDPR and HIPAA emphasize the confidentiality, integrity, and availability of data. A denial of service attack impacts availability, which is a key component of these regulations. Therefore, this vulnerability could hinder compliance by risking system availability during an attack.

However, there is no direct information in the provided context or resources about specific compliance implications or mitigation steps related to GDPR, HIPAA, or other standards.

Executive Summary

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks up to version 2.61.0. The vulnerability arises because the backend uses etree.parse() to process XML files without disabling entity resolution.

An attacker can create a malicious XML file containing a nested entity expansion payload, also known as an XML Bomb. When Docling processes this file, the exponential expansion of these entities causes excessive consumption of system resources.

This resource exhaustion leads to a denial of service (DoS) condition on the system running the Docling parser.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition on the system running Docling.

By exploiting the XML Entity Expansion vulnerability, an attacker can cause the system to consume excessive resources, potentially making the Docling service unavailable or severely degraded.

Detection Guidance

This vulnerability involves XML Entity Expansion (XXE) attacks through Docling's JATS XML backend using etree.parse() without disabling entity resolution. Detection would involve monitoring for processing of malicious XML files containing nested entity expansions that cause excessive resource consumption.

Specific commands to detect this vulnerability are not provided in the available context or resources.

Mitigation Strategies

The vulnerability arises because Docling's XML parser does not disable entity resolution, allowing XML bombs to cause denial of service by resource exhaustion.

Immediate mitigation steps would typically include disabling XML entity resolution in the parser configuration or updating Docling to a version where this issue is fixed. However, no specific mitigation instructions or patches are provided in the available context or resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart