CVE-2026-0848

Exploit

EPSS 0.31%
Veröffentlicht 05.03.2026 20:48:05
Zuletzt bearbeitet 21.04.2026 14:56:46
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading

NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nltk ≫ Nltk Version <= 3.9.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.539

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	10	3.9	6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-0848

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0848

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0848

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-0848