Is Java affected by CVE-2026-0848?

NLTK versions 3.9.2 and earlier contain a critical arbitrary code execution vulnerability that could allow attackers to execute malicious code on systems running affected versions.

CVE-2026-0848

Q: How to fix CVE-2026-0848?

Within 24 hours: Identify all systems and applications using NLTK <=3.9.2 through dependency scanning and asset inventory; immediately disable StanfordSegmenter module if not essential. Within 7 days: Implement network segmentation to isolate affected systems; restrict execution privileges for processes using NLTK; deploy monitoring for suspicious Java process spawning. Within 30 days: Upgrade to NLTK 3.9.3+ when available; validate all dependencies in your software supply chain; conduct code review of any custom StanfordSegmenter implementations.

CRITICAL

2026-03-05 [email protected]

10.0

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 05, 2026 - 21:16 nvd

CRITICAL 10.0

Description

NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.

Analysis

Arbitrary code execution in NLTK <= 3.9.2 StanfordSegmenter module. CVSS 10.0, EPSS 0.48%.

Remediation

Within 24 hours: Identify all systems and applications using NLTK <=3.9.2 through dependency scanning and asset inventory; immediately disable StanfordSegmenter module if not essential. Within 7 days: Implement network segmentation to isolate affected systems; restrict execution privileges for processes using NLTK; deploy monitoring for suspicious Java process spawning. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.5

CVSS: +50

POC: 0

Vendor Status

CVE-2026-0848 vulnerability details – vuln.today

Back

CVE-2026-0848

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-0848

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code