XML External Entity Vulnerability in Apache OpenNLP by Apache
CVE-2026-40682

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Opennlp
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-40682?

The DictionaryEntryPersistor class in Apache OpenNLP is vulnerable due to improper SAX parser configuration, enabling external entity resolution and DTD processing. This allows attackers to exploit crafted dictionary files, potentially leading to local file disclosures or server-side request forgery. Users are advised to upgrade to the latest versions for mitigation, and ensure dictionary files are from trusted sources to minimize risk.

Affected Version(s)

Apache OpenNLP 0 < 2.5.9

Apache OpenNLP 3.0 < 3.0.0-M3

References

https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Subramanian S

CVE-2026-40682 Data

JSON