What is CVE-2026-31248?

CVE-2026-31248 is a high-severity vulnerability in N/a, classified under Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion). CVSS score: 7.5/10. Published 2026-05-11.

How severe is CVE-2026-31248?

High severity. CVSS v3 base score is 7.5 out of 10.

XXE in N/a

CVE-2026-31248

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can cr…

EPSS: 0.001 (21.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

N/a — versions n/a

Weakness classification (CWE)

CWE-776 — Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)

References

cve@mitre.org
cve@mitre.org

Frequently asked questions

What is CVE-2026-31248?: CVE-2026-31248 is a high-severity vulnerability in N/a, classified under Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion). CVSS score: 7.5/10. Published 2026-05-11.
How severe is CVE-2026-31248?: High severity. CVSS v3 base score is 7.5 out of 10.