{"id":"PYSEC-2026-393","summary":"Unsafe yaml deserialization in llama-hub","details":"The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.","aliases":["CVE-2024-23730","GHSA-297x-2qf3-jrj3"],"modified":"2026-07-01T20:22:56.464580Z","published":"2026-06-29T11:50:41.670418Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-23730"},{"type":"WEB","url":"https://github.com/run-llama/llama-hub/pull/841/commits/9dc9c21a5c6d0226d1d2101c3121d4f085743d52"},{"type":"WEB","url":"https://github.com/run-llama/llama-hub/commit/c01416e737c7747a213a79881b8308c41d043515"},{"type":"PACKAGE","url":"https://github.com/run-llama/llama-hub"},{"type":"WEB","url":"https://github.com/run-llama/llama-hub/blob/v0.0.67/CHANGELOG.md"},{"type":"WEB","url":"https://github.com/run-llama/llama-hub/releases/tag/v0.0.67"},{"type":"PACKAGE","url":"https://pypi.org/project/llama-hub"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-297x-2qf3-jrj3"}],"affected":[{"package":{"name":"llama-hub","ecosystem":"PyPI","purl":"pkg:pypi/llama-hub"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.0.67"}]}],"versions":["0.0.1","0.0.10","0.0.11","0.0.12","0.0.13","0.0.14","0.0.15","0.0.16","0.0.18","0.0.19","0.0.1a1","0.0.1a2","0.0.2","0.0.21","0.0.22","0.0.23","0.0.24","0.0.24.post1","0.0.25","0.0.26","0.0.27","0.0.29","0.0.3","0.0.30","0.0.31","0.0.32","0.0.33","0.0.34","0.0.35","0.0.36","0.0.37","0.0.38","0.0.39","0.0.4","0.0.40","0.0.41","0.0.42","0.0.43","0.0.44","0.0.45","0.0.46","0.0.47","0.0.47.post1","0.0.48","0.0.5","0.0.50","0.0.52","0.0.54","0.0.55","0.0.55.post1","0.0.56","0.0.56.post1","0.0.57","0.0.58","0.0.58.post1","0.0.59","0.0.6","0.0.60","0.0.61","0.0.62","0.0.64","0.0.65","0.0.66","0.0.7","0.0.8","0.0.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/llama-hub/PYSEC-2026-393.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}