CVE-2026-0848

EPSS 0.48%
Veröffentlicht 05.03.2026 20:48:05
Zuletzt bearbeitet 09.03.2026 13:36:08
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellernltk

≫

Produkt nltk/nltk

Version <= latest

Version unspecified

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.48%	0.647

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	10	3.9	6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202

https://nvd.nist.gov/vuln/detail/CVE-2026-0848

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0848

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0848

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-0848