Skip to main content

NLTK CVE-2026-12252

| EUVDEUVD-2026-41656 HIGH
Code Injection (CWE-94)
2026-07-04 @huntr_ai GHSA-9r6g-266r-89x4
7.8
CVSS 3.0 · Vendor: huntr_ai
Share

Severity by source

Vendor (huntr_ai) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local JAR-path control with a required victim action to load it (AV:L/UI:R); resulting Java code runs as the user, giving full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
7.8 HIGH
qualitative

Primary rating from Vendor (huntr_ai).

CVSS VectorVendor: huntr_ai

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 04, 2026 - 02:28 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 68 pypi packages depend on nltk (35 direct, 34 indirect)

Ecosystem-wide dependent count for version 3.9.4.

DescriptionCVE.org

In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser) are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute them via the java() function, which invokes subprocess.Popen() without integrity verification. This vulnerability is identical to CVE-2026-0848, which was fixed for StanfordSegmenter by adding SHA256 verification. However, the fix was not applied to these additional classes, leaving them susceptible to arbitrary code execution when loading untrusted JAR files.

AnalysisAI

Arbitrary code execution in the NLTK Python library (nltk/nltk 3.9.3 and earlier) allows an attacker to run untrusted Java code when a victim loads a malicious JAR through five Stanford interface wrappers (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, StanfordNeuralDependencyParser). These classes pass a user-controllable JAR path to an internal java() helper that calls subprocess.Popen() with no SHA256 integrity check, so a substituted or poisoned JAR executes with the user's privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain influence over JAR/model path
Delivery
Plant malicious Stanford JAR
Exploit
Victim instantiates Stanford wrapper class
Execution
java() calls subprocess.Popen on JAR
Persist
Attacker Java code executes as user
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim application use one of the five vulnerable NLTK Stanford wrapper classes (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, or StanfordNeuralDependencyParser) AND load a JAR from a path the attacker can control or overwrite - e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.0 vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8, High) characterizes this as a local, low-complexity issue that requires user interaction and yields full confidentiality, integrity, and availability impact - consistent with a supply-chain/trojaned-artifact class of bug rather than a remotely reachable service flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can influence the JAR/model path used by an application - for example by tricking a data scientist into downloading a 'Stanford model bundle' or by writing to a world-writable model directory - plants a malicious JAR. When the victim runs code that constructs StanfordNERTagger (or one of the other four classes) pointing at that JAR, NLTK launches it via subprocess.Popen() and the attacker's Java code executes with the victim's privileges. …
Remediation Upgrade to a fixed NLTK release once published; the provided data does not include an exact patched version number, so this is best described as: no vendor-released fixed version is independently confirmed at time of analysis - track the huntr report (https://huntr.com/bounties/f5c93982-0cc9-4e2e-bb85-1b6ab29a2efb) and the nltk/nltk project for a release that extends the CVE-2026-0848 SHA256 verification to these five classes. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using NLTK versions 3.9.3 or earlier, particularly those with Stanford wrapper dependencies (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, StanfordNeuralDependencyParser); audit logs for suspicious JAR file access or loading. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-12252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy