Description
NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.
Published: 2026-03-05
Score: 10.0 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

NLTK releases up to and including 3.9.2 contain a flaw in the StanfordSegmenter module that allows an attacker to supply or replace the Java .jar file used at import time. The module launches a Java subprocess with an unvalidated classpath, causing any malicious classes in the jar to execute with full privileges in the host JVM. This flaw falls under input validation weaknesses and improper restriction of execution path, facilitating the execution of arbitrary Java bytecode and equivalent remote code execution.

Affected Systems

The Natural Language Toolkit version 3.9.2 and earlier are affected. The vulnerability applies to all installations that use the StanfordSegmenter component provided by nltk, irrespective of platform, as long as the jar files reside in the standard location.

Risk and Exploitability

The CVSS score of 10.0 reflects a perfect score for confidentiality, integrity, and availability loss. The EPSS score of less than 1 % indicates a very low current probability of exploitation, yet the vulnerability is severe and not listed in the CISA KEV catalog. Attackers would need to place a malicious jar in the npm-specified directory, which could occur through model poisoning, MITM attacks, or dependency poisoning. Once the vulnerable module is imported, the attacker would obtain full control over the JVM process, enabling arbitrary code execution on the host machine.

Generated by OpenCVE AI on April 21, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the official NLTK releases and apply any patch that validates jar inputs or removes the unsafe subprocess call.
  • If an upgrade cannot be performed immediately, limit file system permissions on the directory containing the StanfordSegmenter jars so that only trusted administrators can modify them, preventing unauthorized replacement.
  • Deploy monitoring to detect unexpected changes to the jar files or to the JVM classpath used by NLTK, and consider sandboxing or disabling automatic execution of unverified Java code during the module import.

Generated by OpenCVE AI on April 21, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Nltk nltk
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*
Vendors & Products Nltk nltk

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Nltk
Nltk nltk/nltk
Vendors & Products Nltk
Nltk nltk/nltk

Thu, 05 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.
Title Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading
Weaknesses CWE-20
References
Metrics cvssV3_0

{'score': 10, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Nltk Nltk Nltk/nltk
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-06T16:31:01.105Z

Reserved: 2026-01-10T23:59:44.115Z

Link: CVE-2026-0848

cve-icon Vulnrichment

Updated: 2026-03-06T16:30:50.393Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:14.263

Modified: 2026-04-21T14:56:46.883

Link: CVE-2026-0848

cve-icon Redhat

Severity :

Publid Date: 2026-03-05T20:48:05Z

Links: CVE-2026-0848 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:45:02Z

Weaknesses