{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-17T06:50:19.068","vulnerabilities":[{"cve":{"id":"CVE-2026-24009","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T16:16:09.320","lastModified":"2026-04-09T14:25:51.167","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater."},{"lang":"es","value":"Docling Core (o docling-core) es una librería que define tipos de datos centrales y transformaciones en la aplicación de procesamiento de documentos Docling. Una vulnerabilidad de ejecución remota de código (RCE) relacionada con PyYAML, concretamente CVE-2020-14343, se expone en docling-core a partir de la versión 2.21.0 y anterior a la versión 2.48.4, específicamente solo si la aplicación utiliza pyyaml anterior a la versión 5.4 e invoca 'docling_core.types.doc.DoclingDocument.load_from_yaml()' pasándole datos YAML no confiables. La vulnerabilidad ha sido parcheada en docling-core versión 2.48.4. La solución mitiga el problema al cambiar la deserialización de 'PyYAML' de 'yaml.FullLoader' a 'yaml.SafeLoader', asegurando que los datos no confiables no puedan desencadenar la ejecución de código. Los usuarios que no puedan actualizar docling-core inmediatamente pueden, alternativamente, asegurarse de que la versión instalada de PyYAML sea 5.4 o superior."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:docling:docling-core:*:*:*:*:*:python:*:*","versionStartIncluding":"2.21.0","versionEndExcluding":"2.48.4","matchCriteriaId":"FD7C4503-47A0-4AC3-BCF6-17C8E790F67F"}]}]}],"references":[{"url":"https://github.com/advisories/GHSA-8q59-q68h-6hv4","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/docling-project/docling-core/issues/482","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/docling-project/docling-core/releases/tag/v2.48.4","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc","source":"security-advisories@github.com","tags":["Mitigation","Patch","Vendor Advisory"]}]}}]}