Arbitrary Code Execution Vulnerability in Stanza NLP Python Library
CVE-2026-54499

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-54499?

Stanza, a popular NLP library developed by Stanford, is susceptible to an arbitrary code execution vulnerability due to improper handling of model file loading. Specifically, versions prior to 1.12.2 allow attackers to exploit 'pickle' errors in model loaders, leading to unwanted execution of potentially malicious code embedded within the model files. It is essential for users of Stanza to upgrade to version 1.12.2 or later to mitigate this security risk.

Affected Version(s)

stanza < 1.12.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.