Arbitrary Code Execution Vulnerability in NLTK Product by NLTK
CVE-2026-12252
What is CVE-2026-12252?
In versions of NLTK prior to 3.9.4, several Stanford interface classes, including StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser, present a significant security risk. These classes process user-defined JAR paths and execute them via the 'java()' function, utilizing 'subprocess.Popen()' without sufficient integrity checks. This flaw allows untrusted JAR files to be executed, posing a serious risk of arbitrary code execution. A previous similar vulnerability was mitigated in the StanfordSegmenter by employing SHA256 verification, however, this vital security measure was not extended to the aforementioned classes, which remain exposed to potential exploits.
Affected Version(s)
nltk/nltk <= unspecified
