pyyaml

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting pyyamlpage 1 of 1

CVE-2017-18342CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.1
2018-06-27
vulnerable: 3.01 ... 5.1b7 (22 versions)
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the funct…
CVE-2019-20477CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.2b1
2020-02-19
vulnerable: 5.1, 5.1.1, 5.1.2
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for C…
CVE-2020-14343CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.4
2021-02-09
vulnerable: 3.01 ... 5.4b2 (32 versions)
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Application…
CVE-2020-1747CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.3.1
2020-03-24
vulnerable: 5.1 ... 5.3 (7 versions)
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applicati…

Check whether pyyaml is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for pyyaml CVEs against the assets you own.

Start Free Scan →