PyYAML is a widely used PyPI package. As of 2026-05-24, there are 8 known vulnerabilities in the OSV database. The latest stable version is 6.0.3. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (8)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2019-20477 | CRITICAL | 9.5 | 5.1 to 5.2 | 5.2 | Deserialization of Untrusted Data in PyYAML |
| CVE-2020-1747 | CRITICAL | 9.5 | 5.1b7 to 5.3.1 | 5.3.1 | Improper Input Validation in PyYAML |
| CVE-2020-14343 | CRITICAL | 9.5 | 0 to 5.4 | 5.4 | Improper Input Validation in PyYAML |
| CVE-2017-18342 | CRITICAL | 9.5 | 0 to 4.1 | 4.1 | PyYAML insecurely deserializes YAML strings leading to arbitrary code execution |
| CVE-2017-18342 | UNKNOWN | - | 0 to 5.1 | 5.1 | In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced fo |
| CVE-2019-20477 | UNKNOWN | - | 5.1 to 5.2b1 | 5.2b1 | PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue ex |
| CVE-2020-1747 | UNKNOWN | - | 5.1 to 5.3.1 | 5.3.1 | A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method o |
| CVE-2020-14343 | UNKNOWN | - | 0 to 5.4 | 5.4 | A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or |
Security Recommendations
- Pin PyYAML to the latest stable version (6.0.3) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
pip-audit - Review your lock file (requirements.txt) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is PyYAML safe to use?
PyYAML is actively maintained and widely used. As of 2026-05-24, there are 8 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does PyYAML have?
The OSV database currently lists 8 vulnerabilities for PyYAML. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update PyYAML to fix vulnerabilities?
Run pip install --upgrade pyyaml to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.
Using AI-Generated Code with PyYAML?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses PyYAML, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit