NLTK CVE-2026-0848
CRITICALSeverity by source
Sources disagree (Low–Critical)AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 9 pypi packages depend on nltk (9 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.9.3.
DescriptionCVE.org
NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.
AnalysisAI
Remote code execution in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows unauthenticated attackers to execute arbitrary Java bytecode through the StanfordSegmenter module's unvalidated loading of external JAR files. The vulnerability is exploitable via model poisoning, MITM attacks during JAR downloads, or dependency poisoning, with execution occurring automatically at import time. Despite a critical CVSS 10.0 score, EPSS probability of 0.48% (65th percentile) suggests low observed exploitation activity. No CISA KEV listing indicates no confirmed widespread active exploitation, though the vulnerability is publicly documented on huntr.com with technical details available.
Technical ContextAI
NLTK (Natural Language Toolkit) is a Python library for natural language processing that integrates with Stanford NLP tools through Java interoperability. The StanfordSegmenter module uses Python's subprocess module to invoke external JAR files containing Stanford's Chinese word segmenter. The vulnerability stems from CWE-20 (Improper Input Validation) where the classpath parameter passed to the JVM is not sanitized or validated. The module loads JAR files without verifying cryptographic signatures, checking file integrity, or implementing sandbox restrictions on the Java execution environment. This creates a code injection vector at the boundary between Python and Java runtime environments, where malicious JAR files containing arbitrary Java classes can be executed with the privileges of the Python process.
RemediationAI
Upgrade NLTK to version 3.9.3 or later when available, monitoring the official NLTK GitHub repository and PyPI for patched releases addressing this vulnerability per the huntr.com advisory at https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202. Until patched versions are released, implement compensating controls: (1) Pin JAR file versions using cryptographic hash verification before loading, checking SHA256 checksums against known-good values from official Stanford NLP releases - this prevents MITM and poisoning attacks but requires manual hash management. (2) Restrict filesystem permissions on JAR file directories to read-only for the application user and limit write access to trusted administrators only - mitigates local file replacement but not supply chain attacks. (3) If feasible, isolate NLTK processing in containerized environments with egress filtering to prevent post-exploitation lateral movement - adds defense-in-depth but doesn't prevent initial compromise. (4) Audit applications to identify if StanfordSegmenter is actually used; if not required, remove or disable the module entirely - zero risk but loses Chinese segmentation functionality.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-20 – Improper Input Validation
View allVendor StatusVendor
SUSE
Severity: LowShare
External POC / Exploit Code
Leaving vuln.today