Skip to main content

Docling Core

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-24009 PyPI HIGH PATCH This Week

Remote code execution in Docling Core versions 2.21.0 through 2.48.3 allows unauthenticated attackers to execute arbitrary code when applications deserialize untrusted YAML data using the `DoclingDocument.load_from_yaml()` method with vulnerable PyYAML versions. The vulnerability stems from unsafe deserialization practices (CWE-502) and affects document processing systems using affected library versions. No patch is currently available; mitigation requires upgrading to version 2.48.4 or ensuring PyYAML 5.4+ is installed.

RCE Deserialization Docling Core
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-24009 PyPI
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Docling Core versions 2.21.0 through 2.48.3 allows unauthenticated attackers to execute arbitrary code when applications deserialize untrusted YAML data using the `DoclingDocument.load_from_yaml()` method with vulnerable PyYAML versions. The vulnerability stems from unsafe deserialization practices (CWE-502) and affects document processing systems using affected library versions. No patch is currently available; mitigation requires upgrading to version 2.48.4 or ensuring PyYAML 5.4+ is installed.

RCE Deserialization Docling Core
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy