CVE-2026-44182: Insecure Env Yaml Injection
Environment variables are iterated and parsed with `yaml.safe_load` or `yaml.load` without structural type validation. If this unvalidated parsed structure is passed into downstream consumers (such as Jinja2 rendered YAML manifests), it allows attackers who control runtime environment variables to achieve configuration or manifest injection. Validate the par
greprules fetch cve-2026-44182-insecure-env-yaml-injection --engine opengrepDescription
Environment variables are iterated and parsed with `yaml.safe_load` or `yaml.load` without structural type validation. If this unvalidated parsed structure is passed into downstream consumers (such as Jinja2 rendered YAML manifests), it allows attackers who control runtime environment variables to achieve configuration or manifest injection. Validate the par
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.