Arbitrary Code Execution Vulnerability in NLTK's StanfordSegmenter Module
CVE-2026-0848
Key Information:
Badges
What is CVE-2026-0848?
The StanfordSegmenter module in NLTK is susceptible to arbitrary code execution due to inadequate input validation. It improperly handles external Java .jar files, allowing attackers to manipulate these files without verification. This flaw permits the execution of arbitrary Java bytecode when a malicious JAR file is imported. Exploits can occur through various techniques like model poisoning, man-in-the-middle attacks, or dependency poisoning, leading to potential remote code execution. The vulnerability stems from executing unverified classpath inputs via subprocess, opening the door for harmful classes to run within the Java Virtual Machine.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
nltk/nltk <= unspecified
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.