CVE-2026-24009 — Deserialization of Untrusted Data in Docling-core

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 47.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Docling Docling-core Docling-project Docling-core

Timeline

PublishedJan 22

Description

Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDdocling/docling-core2.21.0 — 2.48.4

▶PyPIdocling-project/docling-core2.21.0 — 2.48.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage↗2026-01-22

▶

GHSA

docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage↗2026-01-22

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24009 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶