Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug.
Conclusion & alert: CVE-2020-10289 is rated Moderate Risk (63.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.95%). Core evidence: EPSS rose +1.15% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.80% | 1.95% | +1.15% |
| 2 | 2026-04-06 | 0.41% | 0.80% | +0.39% |
| 3 | 2026-01-23 | — | 0.41% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.8 | 3.1 | HIGH |
|
2.8 | 5.9 | [email protected] |
| 8.0 | 3.0 | HIGH |
|
2.1 | 5.9 | [email protected] |
| 6.5 | 2.0 | MEDIUM |
|
8.0 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2020-10289 not yet assigned priority: Debian including 1 source packages (ros-actionlib), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-10289 |
ubuntu
|
medium | CVE-2020-10289 medium priority: Ubuntu including 1 source packages (ros-actionlib), 16 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 7, DNE 5, needs-triage 4. | https://ubuntu.com/security/CVE-2020-10289 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| openrobotics | robot_operating_system | — | cpe:2.3:o:openrobotics:robot_operating_system:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/ros/actionlib/pull/171 | Patch Third Party Advisory |