Critical severity9.8NVD Advisory· Published Nov 10, 2017· Updated May 13, 2026
CVE-2017-16764
CVE-2017-16764
Description
An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. A YAML parser can execute arbitrary Python commands resulting in command execution. An attacker can insert Python into loaded YAML to trigger this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
django_make_appPyPI | <= 0.1.3 | — |
Affected products
1- cpe:2.3:a:django_make_app_project:django_make_app:0.1.3:*:*:*:*:*:*:*
Patches
1acd814433d10fix: use `YAML.safe_load`, Fixes #5
1 file changed · +1 −1
django_make_app/io_utils.py+1 −1 modified@@ -12,7 +12,7 @@ def read_yaml_file(filename): with io.open(filename, mode='r', encoding='utf-8') as the_file: - return yaml.load(the_file) + return yaml.safe_load(the_file) def optimize_code(filename):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/illagrenan/django-make-app/issues/5nvdExploitThird Party AdvisoryWEB
- joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16764-vulnerability-in-django-make-app/nvdExploitThird Party Advisory
- github.com/advisories/GHSA-9pv8-q5rx-c8gqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16764ghsaADVISORY
- github.com/illagrenan/django-make-app/commit/acd814433d1021aa8783362521b0bd151fdfc9d2ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django-make-app/PYSEC-2017-79.yamlghsaWEB
- joel-malwarebenchmark.github.io/blog/2017/11/12/cve-2017-16764-vulnerability-in-django-make-appghsaWEB
News mentions
0No linked articles in our index yet.