What is CVE-2026-33532?

CVE-2026-33532 is a medium-severity vulnerability in Eemeli Yaml, classified under Uncontrolled Recursion. CVSS score: 4.3/10. Published 2026-03-26.

How severe is CVE-2026-33532?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Is CVE-2026-33532 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Eemeli Yaml

CVE-2026-33532

`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resoluti…

EPSS: 0.000 (7.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.

Affected products

Eemeli Yaml — versions >= 2.0.0, < 2.8.3, >= 1.0.0, < 1.10.3

Weakness classification (CWE)

CWE-674 — Uncontrolled Recursion

Public proof-of-concept exploits

danwulff/astro_CVE-2026-33532

References

https://github.com/eemeli/yaml/security/advisories/GHSA-48c2-rrv3-qjmp (x_refsource_CONFIRM)
https://github.com/eemeli/yaml/commit/1e84ebbea7ec35011a4c61bbb820a529ee4f359b (x_refsource_MISC)
https://github.com/eemeli/yaml/releases/tag/v1.10.3 (x_refsource_MISC)
https://github.com/eemeli/yaml/releases/tag/v2.8.3 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33532?: CVE-2026-33532 is a medium-severity vulnerability in Eemeli Yaml, classified under Uncontrolled Recursion. CVSS score: 4.3/10. Published 2026-03-26.
How severe is CVE-2026-33532?: Medium severity. CVSS v3 base score is 4.3 out of 10.
Is CVE-2026-33532 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.