PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54499 stanfordnlp CVE debrief

CVE-2026-54499 is a HIGH severity vulnerability in the Stanza NLP library. The issue arises from the library's model loaders, specifically in the `stanza.models.common.pretrain.Pretrain.load()` function, which attempts to load PyTorch models using `torch.load()` with `weights_only=True`. However, if an attacker-controllable `pickle.UnpicklingError` occurs, the loader falls back to `torch.load()` with `weights_only=False`, allowing arbitrary pickle code execution when a malicious `.pt` pretrain or model file is loaded. This vulnerability is fixed in version 1.12.2.

Vendor
stanfordnlp
Product
stanza
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of the Stanza NLP library, particularly those who load models from untrusted sources, should be aware of this vulnerability and take steps to mitigate it. This includes ensuring that models are loaded from trusted sources and that the library is updated to version 1.12.2 or later.

Technical summary

The Stanza NLP library, prior to version 1.12.2, contains a vulnerability in its model loading functionality. Specifically, the `stanza.models.common.pretrain.Pretrain.load()` function attempts to load PyTorch models using `torch.load()` with `weights_only=True`. If a `pickle.UnpicklingError` occurs during this process, the function falls back to `torch.load()` with `weights_only=False`. This fallback behavior allows an attacker to execute arbitrary pickle code by providing a malicious `.pt` pretrain or model file. The vulnerability is addressed in version 1.12.2 of the library.

Defensive priority

High

Recommended defensive actions

  • Update the Stanza NLP library to version 1.12.2 or later
  • Ensure that models are loaded from trusted sources
  • Implement additional security measures, such as validating model files before loading
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-08T23:16:54.690Z and was last modified on 2026-07-10T19:03:20.407Z. The NVD entry is currently Awaiting Analysis. This vulnerability affects users of the Stanza NLP library who load models from untrusted sources. Evidence is limited to public CVE and NVD information. Defenders should verify model sources and update to version 1.12.2 or later.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T23:16:54.690Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.