pyyaml CVE Vulnerabilities & Metrics

Focus on pyyaml vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About pyyaml Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with pyyaml. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total pyyaml CVEs: 7
Earliest CVE date: 06 Feb 2014, 22:55 UTC
Latest CVE date: 13 Jun 2024, 17:15 UTC

Latest CVE reference: CVE-2024-35326

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 3

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical pyyaml CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.36

Max CVSS: 10.0

Critical CVEs (≥9): 2

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	3
7.0-8.9	2
9.0-10.0	2

CVSS Distribution Chart

Top 5 Highest CVSS pyyaml CVEs

These are the five CVEs with the highest CVSS scores for pyyaml, sorted by severity first and recency.

CVE-2020-14343 pyyaml Published on 09 Feb 2021, 21:15 UTC (CVSS: 10.0)
A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abus...
CVE-2020-1747 pyyaml Published on 24 Mar 2020, 15:15 UTC (CVSS: 10.0)
A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by...
CVE-2019-20477 pyyaml Published on 19 Feb 2020, 04:15 UTC (CVSS: 7.5)
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2017-18342 pyyaml Published on 27 Jun 2018, 12:29 UTC (CVSS: 7.5)
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.
CVE-2014-2525 pyyaml Published on 28 Mar 2014, 15:55 UTC (CVSS: 6.8)
Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.

All CVEs for pyyaml

CVE-2024-35326 pyyaml vulnerability CVSS: 0 13 Jun 2024, 17:15 UTC

libyaml v0.2.5 is vulnerable to Buffer Overflow. Affected by this issue is the function yaml_emitter_emit of the file /src/libyaml/src/emitter.c. The manipulation leads to a double-free. NOTE: this is disputed by the supplier because the discoverer's sample C code is incorrect: it does not call all of the required _initialize functions that are described in the LibYAML documentation.

CVE-2024-35325 pyyaml vulnerability CVSS: 0 13 Jun 2024, 17:15 UTC

A vulnerability was found in libyaml up to 0.2.5. Affected by this issue is the function yaml_event_delete of the file /src/libyaml/src/api.c. The manipulation leads to a double-free.

CVE-2024-35328 pyyaml vulnerability CVSS: 0 13 Jun 2024, 16:15 UTC

libyaml v0.2.5 is vulnerable to a denial of service. Affected by this issue is the function yaml_parser_parse of the file /src/libyaml/src/parser.c. NOTE: this is disputed by the supplier because the discoverer's sample C code is incorrect: it does not call required _initialize functions that are described in the LibYAML documentation.

CVE-2020-14343 pyyaml vulnerability CVSS: 10.0 09 Feb 2021, 21:15 UTC

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.

CVE-2020-1747 pyyaml vulnerability CVSS: 10.0 24 Mar 2020, 15:15 UTC

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.

CVE-2019-20477 pyyaml vulnerability CVSS: 7.5 19 Feb 2020, 04:15 UTC

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

CVE-2017-18342 pyyaml vulnerability CVSS: 7.5 27 Jun 2018, 12:29 UTC

In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.

CVE-2014-9130 pyyaml vulnerability CVSS: 5.0 08 Dec 2014, 16:59 UTC

scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vectors involving line-wrapping.

CVE-2014-2525 pyyaml vulnerability CVSS: 6.8 28 Mar 2014, 15:55 UTC

Heap-based buffer overflow in the yaml_parser_scan_uri_escapes function in LibYAML before 0.1.6 allows context-dependent attackers to execute arbitrary code via a long sequence of percent-encoded characters in a URI in a YAML file.

CVE-2013-6393 pyyaml vulnerability CVSS: 6.8 06 Feb 2014, 22:55 UTC

The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.