Docling-Project Docling-Core vulnerabilities

CVE-2026-24009 [CRITICAL] CWE-502 docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage ### Impact A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in `docling-core >=2.21.0, <2.48.4` and, specifically only if the application uses `pyyaml < 5.4` and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. ### Patches

CVE-2020-14343 [CRITICAL] CWE-20 CVE-2020-14343: A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker