CVE-2026-24009

Medienbericht

EPSS 1.38%
Veröffentlicht 22.01.2026 15:04:52
Zuletzt bearbeitet 09.04.2026 14:25:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Docling Core vulnerable to Remote Code Execution via unsafe PyYAML usage

Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Docling ≫ Docling-core SwPlatformpython Version >= 2.21.0 < 2.48.4

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.38%	0.685

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

17.03.2026 22:20

https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc

Patch

Vendor Advisory

Mitigation

https://github.com/docling-project/docling-core/issues/482

Issue Tracking

https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c

Patch

https://github.com/advisories/GHSA-8q59-q68h-6hv4

Not Applicable

https://github.com/docling-project/docling-core/releases/tag/v2.48.4

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-24009

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24009

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24009

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24009