CVE-2026-24009

描述

### Impact A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in `docling-core >=2.21.0, <2.48.4` and, specifically only if the application uses `pyyaml < 5.4` and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. ### Patches The vulnerability has been patched in `docling-core` version **2.48.4**. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. ### Workarounds Users who cannot immediately upgrade `docling-core` can alternatively ensure that the installed version of `PyYAML` is **5.4 or greater**, which supposedly patches CVE-2020-14343. ### References * GitHub Issue: #482 * Upstream Advisory: CVE-2020-14343 * Fix Release: [v2.48.4](https://github.com/docling-project/docling-core/releases/tag/v2.48.4)

如何修補 CVE-2026-24009

要修補 CVE-2026-24009,請將受影響套件升級到下列已修補版本。

• —升級至 2.48.4 或更新版本

CVE-2026-24009 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 2.21.0, < 2.48.4

CVSS 分數

參考連結(7)

• ADVISORYgithub.com/advisories/GHSA-8q59-q68h-6hv4
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-24009
• PATCHgithub.com/docling-project/docling-core
• WEBgithub.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c