2492339 – (CVE-2026-44016) CVE-2026-44016 docling: Docling: Remote code execution via malicious HTML in Playwright-based rendering

Bug 2492339 (CVE-2026-44016) - CVE-2026-44016 docling: Docling: Remote code execution via malicious HTML in Playwright-based rendering

Summary: CVE-2026-44016 docling: Docling: Remote code execution via malicious HTML in ...

Keywords:
Status:	NEW
Alias:	CVE-2026-44016
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-24 18:06 UTC by OSIDB Bzimport
Modified:	2026-06-25 11:56 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:06:40 UTC

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. FIn versions >= 2.82.0, < 2.91.0, if the HTML backend was explicitly configured for rendering (rendering option by default deactivated), then the Playwright-based rendering feature could allow JavaScript execution and unrestricted network access when processing untrusted HTML documents. An attacker could craft malicious HTML that executes arbitrary JavaScript in the rendering context or makes unauthorized network requests to internal services, potentially leading to SSRF attacks, data exfiltration, or remote code execution in the rendering environment. This vulnerability is fixed in 2.91.0.

Note You need to log in before you can comment on or make changes to this bug.