CVE-2026-0848CRITICAL 10.0EPSS p51.0%

CVE-2026-0848CVE-2026-0848

Description

NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbitrary Java bytecode at import time. This vulnerability can be exploited through methods such as model poisoning, MITM attacks, or dependency poisoning, leading to remote code execution. The issue arises from the direct execution of the JAR file via subprocess with unvalidated classpath input, allowing malicious classes to execute when loaded by the JVM.

Scoring

CVSS 3.010.0 (CRITICAL)
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.78% probability of exploitation · percentile 51.0% · 2026-06-19T12:03:05Z
Published2026-03-05
Last modified2026-04-21

Underlying weaknesses· 1

CWE-20

References

  1. https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202
  2. https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-14009
CVE
CVE-2026-42027
CVE
CVE-2026-33236
CVE
CVE-2026-7304
CVE
CVE-2026-31224
CVE
CVE-2026-3071
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.