The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.
"https://github.com/pypa/advisory-database/blob/main/vulns/llama-hub/PYSEC-2026-393.yaml"