CVE-2023-46302: Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is caused by snakeyaml htt
Summary
Apache Submarine has a security vulnerability in how it handles YAML (a data format language) requests because it uses an unsafe library called snakeyaml. When users send YAML data to the application through its REST API (a system for receiving web requests), the unsafe handling could allow attackers to execute malicious code.
Solution / Mitigation
Users should upgrade to Apache Submarine version 0.8.0, which fixes this issue by replacing snakeyaml with jackson-dataformat-yaml. If upgrading is not possible, users can cherry-pick (apply a specific code fix from) PR https://github.com/apache/submarine/pull/1054 and rebuild the submarine-server image.
Vulnerability Details
9.8(critical)
EPSS: 0.2%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2023-46302
First tracked: February 15, 2026 at 08:43 PM
Classified by LLM (prompt v3) · confidence: 75%