CVE-2026-54499: Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human language
Summary
Stanza, a Stanford library for processing human language in Python, had a vulnerability where loading malicious model files could allow attackers to run arbitrary code on a user's computer. The problem occurred because the library would try a secure loading method first, but if that failed, it would fall back to an unsafe method that could execute malicious instructions hidden in pickle (a Python format for storing data).
Solution / Mitigation
This issue is fixed in version 1.12.2. Users should update Stanza to version 1.12.2 or later.
Vulnerability Details
7.5(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
network
high
none
required
July 8, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-54499
First tracked: July 8, 2026 at 08:07 PM
Classified by LLM (prompt v3) · confidence: 95%