External Control of File Name or Path Affecting docling package, versions [,2.94.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-DOCLING-17151773
- published4 Jun 2026
- disclosed3 Jun 2026
- creditMartin Brodeur
Introduced: 3 Jun 2026
NewCVE-2026-47214 (opens in a new tab)How to fix?
Upgrade docling to version 2.94.0 or higher.
Overview
docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications.
Affected versions of this package are vulnerable to External Control of File Name or Path in backend/html_backend.py, which is subject to improper validation of URIs and file paths. An attacker can access local files directly with the file:// scheme (when enable_local_fetch is set to True), traverse directories outside intended boundaries, or retrieve internal network resources (when enable_remote_fetch is set to True). Files accessed directly using the data:// scheme may also be very large and thus consume excessive resources.
Workaround
This vulnerability can be mitigated by keeping both enable_local_fetch=False and enable_remote_fetch=False.