CVE-2026-0848: NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegment
criticalvulnerability
security
Summary
NLTK (Natural Language Toolkit, a Python library for text processing) versions 3.9.2 and earlier have a serious vulnerability in the StanfordSegmenter module, which loads external Java files without checking if they are legitimate. An attacker can trick the system into running malicious code by providing a fake Java file, which executes when the module loads, potentially giving them full control over the system.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.4%
Classification
Attack Type
Model PoisoningSupply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrity
Taxonomy References
CWE (Weakness Type)
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-0848
First tracked: March 5, 2026 at 07:08 PM
Classified by LLM (prompt v3) · confidence: 95%