This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.

qlib Deserialization of Untrusted Data vulnerability