HomeCVE Intelligence › CVE-2026-44017
CVSS 7.5 HIGH Vulnerability

CVE-2026-44017: Docling: Unsafe Zip Extraction in EasyOCR Model Download

Impact In versions < 2.91.0, The EasyOCR model download functionality extracted ZIP archives without validating member paths, enabling Zip Slip attacks. If an attacker could compromise the model download source (via sup…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-44017
Vendorpip
Affected Productdocling
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact

• Remote code execution by overwriting Python files or system binaries
• Persistent backdoors by modifying startup scripts or SSH keys
• Data corruption or system compromise

In versions < 2.91.0, The EasyOCR model download functionality extracted ZIP archives without validating member paths, enabling Zip Slip attacks. If an attacker could compromise the model download source (via supply chain attack, DNS spoofing, or MITM), they could write arbitrary files to any location writable by the process, potentially achieving:

Patches

Fixed in version 2.91.0. The extraction process now validates each archive member path using os.path.realpath() to ensure it remains within the target directory, raising a SecurityError for any path traversal attempts.

Workarounds

Ensure mode

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44017 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence