CVE-2020-14343 — Improper Input Validation in Pyyaml

CWE-20 — Improper Input Validation CWE-502 — Deserialization of Untrusted Data21 documents12 sources

Severity

9.8CRITICALNVD

EPSS

13.7%

top 5.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Pyyaml Docling Docling-core Docling-project Docling-core +6 more

Timeline

PublishedFeb 9

Latest updateJan 22

Description

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages12 packages

▶NVDpyyaml/pyyaml5.1 — 5.4

▶PyPIpyyaml/pyyaml< 5.4

▶debiandebian/pyyaml< pyyaml 5.3.1-4 (bookworm)

▶Debianpyyaml/pyyaml< 5.3.1-4+3

▶msrcmsrc/cbl2_pyyaml_5.4.1-1_on_cbl_mariner_2.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage↗2026-01-22

▶

GHSA

docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage↗2026-01-22

▶

OSV

Improper Input Validation in PyYAML↗2021-03-25

▶

GHSA

Improper Input Validation in PyYAML↗2021-03-25

▶

OSV

CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5↗2021-02-09

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2025-0006 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2025-02-12

▶

Oracle

Oracle Oracle PeopleSoft Risk Matrix: Porting (PyYAML) — CVE-2020-14343↗2023-04-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: CNE (PyYAML) — CVE-2020-14343↗2022-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: OC-CNE (PyYAML) — CVE-2020-14343↗2022-04-15

▶

Ubuntu

PyYAML vulnerability↗2021-05-10

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws↗2023-11-14

▶

📄Research Papers

arXiv

VulnRepairEval: An Exploit-Based Evaluation Framework for Assessing Large Language Model Vulnerability Repair Capabilities↗2025-09-03

▶

💬Community

Bugzilla

CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747 [fedora-all]↗2020-07-24

▶

Bugzilla

CVE-2020-14343 python3-PyYAML: PyYAML: incomplete fix for CVE-2020-1747 [epel-all]↗2020-07-24

▶

Bugzilla

CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747↗2020-07-24

▶

Bugzilla

CVE-2020-14343 python2-pyyaml: PyYAML: incomplete fix for CVE-2020-1747 [epel-all]↗2020-07-24

▶