pyyaml
Safeguard articles tagged "pyyaml" — guides, analysis, and best practices for software supply chain and application security.
6 articles
PyYAML Security Guide (2026)
PyYAML is the default YAML parser for Python — and its history of arbitrary-code-execution CVEs from unsafe loading makes yaml.load() one of the most dangerous calls in the language.
PyYAML full_load unsafe deserialization arbitrary code execution (CVE-2020-14343)
CVE-2020-14343 shows PyYAML's full_load/FullLoader "safe" fix was incomplete, enabling arbitrary code execution. Here's the fix and how to detect exposure.
PyYAML Loader arbitrary code execution (CVE-2017-18342)
PyYAML's default yaml.load() Loader lets attackers run arbitrary code via crafted YAML input. Here's how CVE-2017-18342 works and how to fix it.
CVE-2017-18342: Arbitrary code execution via PyYAML yaml....
CVE-2017-18342 lets attackers achieve remote code execution via PyYAML's yaml.load(), which deserialized untrusted YAML into live Python objects by default.
CVE-2020-1747: PyYAML full_load still allows code execution
CVE-2020-1747 shows PyYAML's FullLoader and full_load() could still trigger arbitrary code execution on untrusted YAML before 5.3.1. Here's the full breakdown.
CVE-2020-14343: PyYAML arbitrary code execution via pytho...
CVE-2020-14343 lets attackers run arbitrary code via PyYAML's python/object/new tag, bypassing an earlier FullLoader fix. Versions, CVSS, and remediation inside.