PatchSiren cyber security CVE debrief
CVE-2026-12252 nltk CVE debrief
CVE-2026-12252 is a high-severity vulnerability (CVSS Score: 7.8) affecting nltk/nltk versions 3.9.3 and earlier. The vulnerability exists in five Stanford interface classes: StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser. These classes accept user-controllable JAR paths and execute them via the `java()` function, which invokes `subprocess.Popen()` without integrity verification. This allows for arbitrary code execution when loading untrusted JAR files. The vulnerability is identical to CVE-2026-0848, which was previously fixed for StanfordSegmenter by adding SHA256 verification. However, this fix was not applied to the affected classes, leaving them vulnerable.
- Vendor
- nltk
- Product
- nltk/nltk
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-04
- Original CVE updated
- 2026-07-04
- Advisory published
- 2026-07-04
- Advisory updated
- 2026-07-04
Who should care
Developers and users of the nltk/nltk library, particularly those using versions 3.9.3 and earlier, should be aware of this vulnerability. The vulnerability's high severity and potential for arbitrary code execution make it a priority for defenders to address.
Technical summary
The vulnerability exists in the nltk/nltk library, specifically in the five Stanford interface classes: StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser. These classes execute user-controllable JAR paths via the `java()` function, which invokes `subprocess.Popen()` without integrity verification. This allows for arbitrary code execution when loading untrusted JAR files. The vulnerability is a result of not applying the SHA256 verification fix, previously applied to StanfordSegmenter, to these classes.
Defensive priority
High priority should be given to defenders to address this vulnerability, as it allows for arbitrary code execution. Defenders should prioritize updating to a patched version of nltk/nltk or implementing compensating controls to mitigate the risk.
Recommended defensive actions
- Update nltk/nltk to a patched version, if available.
- Implement SHA256 verification for JAR files loaded by the affected classes.
- Restrict access to the affected classes and JAR files.
- Monitor for suspicious activity related to JAR file loading.
- Consider implementing additional security controls, such as sandboxing or isolation, for the affected classes and JAR files.
Evidence notes
The vulnerability was reported by [email protected] and is documented in the CVE-2026-12252 record on CVE.org and the NVD detail page. The vulnerability's existence and details are corroborated by multiple sources, including the nltk/nltk library and the Huntr bug bounty platform.
Official resources
-
CVE-2026-12252 CVE record
CVE.org
-
CVE-2026-12252 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article was generated with AI assistance based on the supplied source corpus.