In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used. https://nvd.nist.gov/vuln/detail/CVE-2017-18342