CVE-2026-0848

Source
https://cve.org/CVERecord?id=CVE-2026-0848
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0848.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-0848
Aliases
Downstream
Published
2026-03-05T20:48:05.364Z
Modified
2026-07-15T01:49:08.316031248Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading
Details

NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.

Database specific
{
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/0xxx/CVE-2026-0848.json",
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/nltk/nltk

Affected ranges

Type
GIT
Repo
https://github.com/nltk/nltk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "cpe": "cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.9.2"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

2.*
2.0.1rc1
2.0.1rc2
2.0.1rc3
2.0.1rc4
3.*
3.0.0b1
3.0.2
3.0.3
3.0.4
3.0.5
3.0a4
3.1
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3
3.4
3.4.1
3.4.3
3.4.4
3.5
3.5b1
3.6
3.6.1
3.6.2
3.6.5
3.6.6
3.6.7
3.7
3.8
3.8.1
3.8.2
3.9
3.9.1
3.9.2
v3.*
v3.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0848.json"