Open-Source Security Intelligence

Know every vulnerability
before it knows you.

DevGuard continuously monitors your dependencies and alerts you when CVEs like this one affect your stack — with real-time threat intelligence built for developers.

Checkout DevGuard View on GitHub

GHSA-pj2v-ggqh-cmq2

HighCVSS 8.2 / 10

Published Jun 3, 2026·Last modified Jun 3, 2026

Affected Components(1)

docling

2.82.0 – 2.91.0

Description

Impact

In versions >= 2.82.0, < 2.91.0, if the HTML backend was explicitly configured for rendering (rendering option by default deactivated), then the Playwright-based rendering feature could allow JavaScript execution and unrestricted network access when processing untrusted HTML documents. An attacker could craft malicious HTML that executes arbitrary JavaScript in the rendering context or makes unauthorized network requests to internal services, potentially leading to SSRF attacks, data exfiltration, or remote code execution in the rendering environment.

Patches

Fixed in version 2.91.0. The rendering context now explicitly disables JavaScript execution (java_script_enabled=False) and implements network isolation controls. When enable_remote_fetch is disabled, the browser operates in offline mode, preventing all network requests.

Workarounds

Refrain from using render_page=True when processing untrusted HTML documents.

References

Fix release: v2.91.0

Risk Scores

Base Score

8.2

The vulnerability can be exploited over the network without needing physical access. It is difficult for an attacker to exploit this vulnerability and may require special conditions. An attacker does not need any special privileges or access rights. The attacker needs the user to perform some action, like clicking a link. The vulnerability can affect other systems as well, not just the initial system. There is a high impact on the confidentiality of the information. There is a high impact on the integrity of the data. There is a low impact on the availability of the system.

Threat Intelligence

7.5

Exploitation activity has been observed. Apply available patches or mitigations urgently.

EPSS

N/A

Probability that this vulnerability will be exploited in the wild within the next 30 days.

Exploit

Not available

We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database.

Browse More

High severity

Scan your project

Continuously monitor your dependencies and get alerted when vulnerabilities like this one affect your stack.