Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local JAR-path control with a required victim action to load it (AV:L/UI:R); resulting Java code runs as the user, giving full C/I/A impact.
Primary rating from Vendor (huntr_ai).
CVSS VectorVendor: huntr_ai
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 68 pypi packages depend on nltk (35 direct, 34 indirect)
Ecosystem-wide dependent count for version 3.9.4.
DescriptionCVE.org
In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser) are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute them via the java() function, which invokes subprocess.Popen() without integrity verification. This vulnerability is identical to CVE-2026-0848, which was fixed for StanfordSegmenter by adding SHA256 verification. However, the fix was not applied to these additional classes, leaving them susceptible to arbitrary code execution when loading untrusted JAR files.
AnalysisAI
Arbitrary code execution in the NLTK Python library (nltk/nltk 3.9.3 and earlier) allows an attacker to run untrusted Java code when a victim loads a malicious JAR through five Stanford interface wrappers (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, StanfordNeuralDependencyParser). These classes pass a user-controllable JAR path to an internal java() helper that calls subprocess.Popen() with no SHA256 integrity check, so a substituted or poisoned JAR executes with the user's privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim application use one of the five vulnerable NLTK Stanford wrapper classes (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, or StanfordNeuralDependencyParser) AND load a JAR from a path the attacker can control or overwrite - e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.0 vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (7.8, High) characterizes this as a local, low-complexity issue that requires user interaction and yields full confidentiality, integrity, and availability impact - consistent with a supply-chain/trojaned-artifact class of bug rather than a remotely reachable service flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can influence the JAR/model path used by an application - for example by tricking a data scientist into downloading a 'Stanford model bundle' or by writing to a world-writable model directory - plants a malicious JAR. When the victim runs code that constructs StanfordNERTagger (or one of the other four classes) pointing at that JAR, NLTK launches it via subprocess.Popen() and the attacker's Java code executes with the victim's privileges. … |
| Remediation | Upgrade to a fixed NLTK release once published; the provided data does not include an exact patched version number, so this is best described as: no vendor-released fixed version is independently confirmed at time of analysis - track the huntr report (https://huntr.com/bounties/f5c93982-0cc9-4e2e-bb85-1b6ab29a2efb) and the nltk/nltk project for a release that extends the CVE-2026-0848 SHA256 verification to these five classes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems and applications using NLTK versions 3.9.3 or earlier, particularly those with Stanford wrapper dependencies (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, StanfordNeuralDependencyParser); audit logs for suspicious JAR file access or loading. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary file disclosure in NLTK 3.9.4 lets remote attackers read any file accessible to the Python process by passing
Unauthenticated remote denial of service in NLTK's WordNet Browser HTTP server (nltk.app.wordnet_app) through version 3.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41656
GHSA-9r6g-266r-89x4