JFrog's security research team has identified a code injection vulnerability in Yamale, a widely-used YAML schema validator, under the CVE-2021-38305 designation. The vulnerability arises from the ability of attackers to manipulate the schema file, one of the mandatory parameters for Yamale, to execute arbitrary Python code due to its handling of the eval function. Despite efforts to limit vulnerabilities by restricting built-in functions, attackers can still leverage Python reflection to execute code. Yamale's maintainers addressed the issue by introducing a whitelist to sanitize input before evaluation, although using ast.literal_eval is recommended as a safer alternative. While remote exploitation is theoretically possible if an attacker can control the schema file, such scenarios are rare in production environments. The report highlights the importance of sanitizing eval inputs and praises Yamale's maintainers for their prompt response in addressing the security flaw.