Yaml.load() has the ability to construct an arbitrary Python object. This is dangerous if you receive a YAML document from an untrusted source.
The issue arises when a program uses a YAML parser that improperly handles untrusted YAML input, allowing attackers to inject malicious payloads. This can result in the execution of arbitrary code on the server, posing a severe security risk if user inputs are not carefully validated.
https://hackerone.com/reports/2467232