CVE-2026-31248

High

Published: 11 May 2026

Published

11 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 6.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31248 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Notion (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested…

entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-776

Affected Products

Notion

—

inferred from references and description; NVD did not file a CPE for this CVE

References

https://github.com/docling-project/docling
cve@mitre.org
https://www.notion.so/CVE-2026-31248-35d1e1393188818585b2ce3b9ce24686
cve@mitre.org