CVE-2026-24009

Description

### Impact A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in `docling-core >=2.21.0, <2.48.4` and, specifically only if the application uses `pyyaml < 5.4` and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. ### Patches The vulnerability has been patched in `docling-core` version **2.48.4**. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. ### Workarounds Users who cannot immediately upgrade `docling-core` can alternatively ensure that the installed version of `PyYAML` is **5.4 or greater**, which supposedly patches CVE-2020-14343. ### References * GitHub Issue: #482 * Upstream Advisory: CVE-2020-14343 * Fix Release: [v2.48.4](https://github.com/docling-project/docling-core/releases/tag/v2.48.4)

How to fix CVE-2026-24009

To remediate CVE-2026-24009, upgrade the affected package to a fixed version below.

• —upgrade to 2.48.4 or later

Is CVE-2026-24009 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.21.0, < 2.48.4

CVSS scores

References (7)

• ADVISORYgithub.com/advisories/GHSA-8q59-q68h-6hv4
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-24009
• PATCHgithub.com/docling-project/docling-core
• WEBgithub.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c