All PyYAML CVEs — Complete Vulnerability History
PyYAML is Python's YAML parser. The most critical CVE is CVE-2020-14343 — remote code execution via yaml.load() without a Loader argument. This is on the CISA KEV list.
PyPI
100M+ weekly downloads
3 CVEs total
3 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2017-18342 | 2017 | CRITICAL | RCE via yaml.load() without Loader | Fixed 5.1 |
| CVE-2020-1747 | 2020 | CRITICAL | RCE via crafted YAML in FullLoader | Fixed 5.3.1 |
| CVE-2020-14343 | 2020 | 🔴CRITICAL | RCE via yaml.load() — CISA KEV | Fixed 5.4 |
Current safe version: 6.0.1
# Before
"PyYAML==5.4.1"
# After
"PyYAML==6.0.1"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
How do I fix PyYAML's RCE vulnerability?
Replace yaml.load(data) with yaml.safe_load(data) everywhere in your codebase. safe_load() uses SafeLoader which doesn't allow arbitrary Python object creation. Then update to PyYAML 6.0.1.
Is yaml.safe_load() completely safe?
safe_load() prevents arbitrary code execution — it only loads basic Python types (strings, numbers, lists, dicts). It's safe for loading configuration files from trusted or untrusted sources.