Security Vulnerabilities
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes. This vulnerability is fixed in 2.91.0.
CVSS Score
5.5
EPSS Score
0.001
Published
2026-06-26
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.
The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.
An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
CVSS Score
5.5
EPSS Score
0.001
Published
2026-06-26
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data.
An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
CVSS Score
7.8
EPSS Score
0.002
Published
2026-06-26
In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
CVSS Score
5.3
EPSS Score
0.002
Published
2026-06-26
In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
CVSS Score
4.3
EPSS Score
0.002
Published
2026-06-26
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
CVSS Score
4.3
EPSS Score
0.002
Published
2026-06-26
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
CVSS Score
2.6
EPSS Score
0.004
Published
2026-06-26
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
CVSS Score
4.3
EPSS Score
0.002
Published
2026-06-26
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
CVSS Score
3.1
EPSS Score
0.001
Published
2026-06-26
In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
CVSS Score
6.7
EPSS Score
0.001
Published
2026-06-26