{"data":{"id":"07eccfe5-d1d5-4133-aa35-05bd62e42c1d","title":"CVE-2026-54499: Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human language","summary":"Stanza, a Stanford library for processing human language in Python, had a vulnerability where loading malicious model files could allow attackers to run arbitrary code on a user's computer. The problem occurred because the library would try a secure loading method first, but if that failed, it would fall back to an unsafe method that could execute malicious instructions hidden in pickle (a Python format for storing data).","solution":"This issue is fixed in version 1.12.2. Users should update Stanza to version 1.12.2 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-54499","publishedAt":"2026-07-08T23:16:54.690Z","cveId":"CVE-2026-54499","cweIds":["CWE-502","CWE-676"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["model_poisoning","supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Stanford NLP","Stanza"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"network","attackComplexity":"high","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-08T23:16:54.690Z","capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}