CVE-2026-24009

Name of the Vulnerable Software and Affected Versions Docling Core versions 2.21.0 through 2.48.3

Description Docling Core, a library for document processing, contains a Remote Code Execution (RCE) issue related to PyYAML. This issue, identified as CVE-2020-14343, arises when the application uses PyYAML versions prior to 5.4 and invokes the docling core.types.doc.DoclingDocument.load from yaml() function with untrusted YAML data. The vulnerability allows an attacker to execute arbitrary code on the system by exploiting the python/object/new constructor. The issue stems from an incomplete fix for CVE-2020-1747. The FullLoader deserialization method in PyYAML is susceptible to code execution when processing untrusted YAML files.

Recommendations Docling Core versions 2.21.0 through 2.48.3 should be upgraded to version 2.48.4. If upgrading Docling Core is not immediately possible, ensure that the installed version of PyYAML is 5.4 or greater.