Arbitrary Code Execution Vulnerability in NLTK Product by NLTK
CVE-2026-12252

7.8HIGH

Key Information:

Vendor

Nltk

Status
Vendor
CVE Published:
4 July 2026

What is CVE-2026-12252?

In versions of NLTK prior to 3.9.4, several Stanford interface classes, including StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser, present a significant security risk. These classes process user-defined JAR paths and execute them via the 'java()' function, utilizing 'subprocess.Popen()' without sufficient integrity checks. This flaw allows untrusted JAR files to be executed, posing a serious risk of arbitrary code execution. A previous similar vulnerability was mitigated in the StanfordSegmenter by employing SHA256 verification, however, this vital security measure was not extended to the aforementioned classes, which remain exposed to potential exploits.

Affected Version(s)

nltk/nltk <= unspecified

References

CVSS V3.0

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.