Nltk Nltk
Monthly
Arbitrary code execution in the NLTK Python library (nltk/nltk 3.9.3 and earlier) allows an attacker to run untrusted Java code when a victim loads a malicious JAR through five Stanford interface wrappers (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, StanfordNeuralDependencyParser). These classes pass a user-controllable JAR path to an internal java() helper that calls subprocess.Popen() with no SHA256 integrity check, so a substituted or poisoned JAR executes with the user's privileges. This is a regression of CVE-2026-0848, whose SHA256 verification fix was applied only to StanfordSegmenter and never propagated to these five classes; no public exploit is identified at time of analysis, though a huntr bounty report exists.
Arbitrary file disclosure in NLTK 3.9.4 lets remote attackers read any file accessible to the Python process by passing percent-encoded path-traversal sequences (e.g. ..%2f) into nltk.data.load() or nltk.data.find(). The flaw is an incomplete fix for GitHub Issue #3504: the _UNSAFE_NO_PROTOCOL_RE guard only matches literal ../ while url2pathname() decodes the encoded form after the check runs, so the validation is bypassed. No public exploit identified at time of analysis, though it was reported through a huntr.com bounty; it is not listed in CISA KEV and no EPSS score was supplied.
Unauthenticated remote denial of service in NLTK's WordNet Browser HTTP server (nltk.app.wordnet_app) through version 3.9.3 allows any network-reachable attacker to terminate the server process by sending a single GET request to /SHUTDOWN%20THE%20SERVER. The server binds to all interfaces by default and invokes os._exit(0) on receipt, with no public exploit identified at time of analysis but exploitation is trivial given the documented endpoint.
Arbitrary code execution in the NLTK Python library (nltk/nltk 3.9.3 and earlier) allows an attacker to run untrusted Java code when a victim loads a malicious JAR through five Stanford interface wrappers (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, StanfordNeuralDependencyParser). These classes pass a user-controllable JAR path to an internal java() helper that calls subprocess.Popen() with no SHA256 integrity check, so a substituted or poisoned JAR executes with the user's privileges. This is a regression of CVE-2026-0848, whose SHA256 verification fix was applied only to StanfordSegmenter and never propagated to these five classes; no public exploit is identified at time of analysis, though a huntr bounty report exists.
Arbitrary file disclosure in NLTK 3.9.4 lets remote attackers read any file accessible to the Python process by passing percent-encoded path-traversal sequences (e.g. ..%2f) into nltk.data.load() or nltk.data.find(). The flaw is an incomplete fix for GitHub Issue #3504: the _UNSAFE_NO_PROTOCOL_RE guard only matches literal ../ while url2pathname() decodes the encoded form after the check runs, so the validation is bypassed. No public exploit identified at time of analysis, though it was reported through a huntr.com bounty; it is not listed in CISA KEV and no EPSS score was supplied.
Unauthenticated remote denial of service in NLTK's WordNet Browser HTTP server (nltk.app.wordnet_app) through version 3.9.3 allows any network-reachable attacker to terminate the server process by sending a single GET request to /SHUTDOWN%20THE%20SERVER. The server binds to all interfaces by default and invokes os._exit(0) on receipt, with no public exploit identified at time of analysis but exploitation is trivial given the documented endpoint.