Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Primary rating from Vendor (https://github.com/docling-project/docling).
CVSS VectorVendor: https://github.com/docling-project/docling
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Impact
In versions >= 2.82.0, < 2.91.0, if the HTML backend was explicitly configured for rendering (rendering option by default deactivated), then the Playwright-based rendering feature could allow JavaScript execution and unrestricted network access when processing untrusted HTML documents. An attacker could craft malicious HTML that executes arbitrary JavaScript in the rendering context or makes unauthorized network requests to internal services, potentially leading to SSRF attacks, data exfiltration, or remote code execution in the rendering environment.
Patches
Fixed in version 2.91.0. The rendering context now explicitly disables JavaScript execution (java_script_enabled=False) and implements network isolation controls. When enable_remote_fetch is disabled, the browser operates in offline mode, preventing all network requests.
Workarounds
Refrain from using render_page=True when processing untrusted HTML documents.
References
- Fix release: v2.91.0
AnalysisAI
Server-side request forgery and potential remote code execution in Docling versions 2.82.0 through 2.90.x affect deployments that explicitly enable the Playwright-based HTML rendering backend. When render_page=True is set, untrusted HTML documents can execute arbitrary JavaScript in the rendering browser context and reach internal network services, enabling SSRF, data exfiltration, or code execution in the rendering environment. No public exploit identified at time of analysis, and the issue is not in CISA KEV, but a vendor-confirmed fix exists in 2.91.0.
Technical ContextAI
Docling is a Python document-processing library (pkg:pip/docling) that converts documents such as HTML into structured outputs. The vulnerable code path uses Playwright - a headless-browser automation framework - to render HTML pages when the optional rendering mode is enabled. Because the browser context was launched with JavaScript execution allowed and without network isolation, any script tags or fetch/XHR calls inside attacker-supplied HTML executed against the rendering host's network position. The root cause is classified as CWE-94 (Improper Control of Generation of Code, i.e. code injection): untrusted HTML is effectively executed as code inside a privileged browser session that has access to the host's internal network.
RemediationAI
Vendor-released patch: 2.91.0 - upgrade Docling to version 2.91.0 or later, where the rendering context is launched with java_script_enabled=False and network access is gated by enable_remote_fetch (which, when disabled, runs the browser fully offline). The vendor-supplied workaround for sites that cannot upgrade immediately is to refrain from setting render_page=True when processing untrusted HTML documents; this prevents the vulnerable Playwright path from being invoked but also removes the visual rendering capability for those workloads. Additional compensating controls include running the rendering worker in a network-isolated container with egress restricted to required hosts only (mitigates SSRF reach but adds operational complexity) and validating/sanitizing inbound HTML upstream. Refer to the GHSA advisory at https://github.com/docling-project/docling/security/advisories/GHSA-pj2v-ggqh-cmq2 and the 2.91.0 release notes at https://github.com/docling-project/docling/releases/tag/v2.91.0.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39003
GHSA-pj2v-ggqh-cmq2