Skip to main content

NLTK CVE-2026-0848

CRITICAL
Improper Input Validation (CWE-20)
2026-03-05 security@huntr.dev
Critical
Disputed · 10.0 NVD
Share

Severity by source

Sources disagree (Low–Critical)
NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SUSE
3.1 LOW
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 21, 2026 - 15:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 15:07 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 21:16 nvd
CRITICAL 10.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 9 pypi packages depend on nltk (9 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.9.3.

DescriptionCVE.org

NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.

AnalysisAI

Remote code execution in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows unauthenticated attackers to execute arbitrary Java bytecode through the StanfordSegmenter module's unvalidated loading of external JAR files. The vulnerability is exploitable via model poisoning, MITM attacks during JAR downloads, or dependency poisoning, with execution occurring automatically at import time. Despite a critical CVSS 10.0 score, EPSS probability of 0.48% (65th percentile) suggests low observed exploitation activity. No CISA KEV listing indicates no confirmed widespread active exploitation, though the vulnerability is publicly documented on huntr.com with technical details available.

Technical ContextAI

NLTK (Natural Language Toolkit) is a Python library for natural language processing that integrates with Stanford NLP tools through Java interoperability. The StanfordSegmenter module uses Python's subprocess module to invoke external JAR files containing Stanford's Chinese word segmenter. The vulnerability stems from CWE-20 (Improper Input Validation) where the classpath parameter passed to the JVM is not sanitized or validated. The module loads JAR files without verifying cryptographic signatures, checking file integrity, or implementing sandbox restrictions on the Java execution environment. This creates a code injection vector at the boundary between Python and Java runtime environments, where malicious JAR files containing arbitrary Java classes can be executed with the privileges of the Python process.

RemediationAI

Upgrade NLTK to version 3.9.3 or later when available, monitoring the official NLTK GitHub repository and PyPI for patched releases addressing this vulnerability per the huntr.com advisory at https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202. Until patched versions are released, implement compensating controls: (1) Pin JAR file versions using cryptographic hash verification before loading, checking SHA256 checksums against known-good values from official Stanford NLP releases - this prevents MITM and poisoning attacks but requires manual hash management. (2) Restrict filesystem permissions on JAR file directories to read-only for the application user and limit write access to trusted administrators only - mitigates local file replacement but not supply chain attacks. (3) If feasible, isolate NLTK processing in containerized environments with egress filtering to prevent post-exploitation lateral movement - adds defense-in-depth but doesn't prevent initial compromise. (4) Audit applications to identify if StanfordSegmenter is actually used; if not required, remove or disable the module entirely - zero risk but loses Chinese segmentation functionality.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

SUSE

Severity: Low

Share

CVE-2026-0848 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy