Description

Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater.

INFO

Published Date :

2026-01-22T15:04:52.745Z

Last Modified :

2026-01-22T15:59:19.883Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24009 vulnerability.

Vendors Products
Docling
  • Docling-core
Docling-project
  • Docling-core
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24009.

URL Resource
https://github.com/advisories/GHSA-8q59-q68h-6hv4 cve-icon cve-icon
https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c cve-icon cve-icon
https://github.com/docling-project/docling-core/issues/482 cve-icon cve-icon
https://github.com/docling-project/docling-core/releases/tag/v2.48.4 cve-icon cve-icon
https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact