GHSA-vqxf-v2gg-x3hc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vqxf-v2gg-x3hc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-vqxf-v2gg-x3hc/GHSA-vqxf-v2gg-x3hc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vqxf-v2gg-x3hc
- Aliases
- Related
- Published
- 2026-01-22T18:02:45Z
- Modified
- 2026-02-04T02:25:33.902853Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage
- Details
-
Impact
A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in
docling-core >=2.21.0, <2.48.4and, specifically only if the application usespyyaml < 5.4and invokesdocling_core.types.doc.DoclingDocument.load_from_yaml()passing it untrusted YAML data.Patches
The vulnerability has been patched in
docling-coreversion 2.48.4. The fix mitigates the issue by switchingPyYAMLdeserialization fromyaml.FullLoadertoyaml.SafeLoader, ensuring that untrusted data cannot trigger code execution.Workarounds
Users who cannot immediately upgrade
docling-corecan alternatively ensure that the installed version ofPyYAMLis 5.4 or greater, which supposedly patches CVE-2020-14343.References
- GitHub Issue: #482
- Upstream Advisory: CVE-2020-14343
- Fix Release: v2.48.4
- Database specific
{ "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-502" ], "github_reviewed_at": "2026-01-22T18:02:45Z", "nvd_published_at": "2026-01-22T16:16:09Z" }- References
-
- https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc
- https://nvd.nist.gov/vuln/detail/CVE-2026-24009
- https://github.com/docling-project/docling-core/issues/482
- https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c
- https://github.com/advisories/GHSA-8q59-q68h-6hv4
- https://github.com/docling-project/docling-core
- https://github.com/docling-project/docling-core/releases/tag/v2.48.4
Affected packages
PyPI / docling-core
Package
- Name
- docling-core
- View open source insights on deps.dev
- Purl
- pkg:pypi/docling-core
Affected versions
2.*
2.21.0
2.21.1
2.21.2
2.22.0
2.23.0
2.23.1
2.23.2
2.23.3
2.24.0
2.24.1
2.25.0
2.26.0
2.26.1
2.26.2
2.26.3
2.26.4
2.27.0
2.28.0
2.28.1
2.29.0
2.30.0
2.30.1
2.31.0
2.31.1
2.31.2
2.32.0
2.33.0
2.33.1
2.34.0
2.34.1
2.34.2
2.35.0
2.36.0
2.37.0
2.38.0
2.38.1
2.38.2
2.39.0
2.40.0
2.41.0
2.42.0
2.43.0
2.43.1
2.44.0
2.44.1
2.44.2
2.45.0
2.46.0
2.47.0
2.48.0
2.48.1
2.48.2
2.48.3