Skip to content
QuantumScanPublic scan report

Repository

docling-project/docling

Scanned on Jun 17, 2026

42

Risk score/ 100

Moderate risk

Summary

The repository contains one critical finding related to the use of a curl command that explicitly allows TLS 1.2 but is part of a shell script download pattern that could be manipulated. While the command itself enforces TLS 1.2 (not 1.0/1.1), the use of 'curl | sh' for installing external dependencies presents a supply chain risk. This is a LaTeX backend engine component with moderate business impact if compromised.

Critical

1

High

0

Medium

0

Low

0

Top findings

  • CriticalTLS 1.0 / 1.1

    docling/backend/latex/engines/tectonic.py:86

    Raw evidence
    "curl --proto '=https' --tlsv1.2 -fsSL https://drop-sh.fullyjustified.net | sh"

Scan your own repository

Free. Results in ~90 seconds. CBOM + DORA/NIS2 PDF included.

Start a free scan