GHSA-rprw-h62v-c2w7CriticalCVSS 9.8

PyYAML insecurely deserializes YAML strings leading to arbitrary code execution

Published
January 4, 2019
Last Modified
July 1, 2026

🔗 CVE IDs covered (1)

📋 Description

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.

This was intended to be fixed in 4.1, but due to breaking changes, 4.1 was yanked and 5.1 contains the patch for CVE-2017-18342.

🎯 Affected products1

  • pip/PyYAML:< 5.1

🔗 References (14)