Is nltk affected by CVE-2026-0848?

PyPI nltk is affected in <3.9.3.

Is CVE-2026-0848 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.8%.

critical

CVE-2026-0848

Q: Is CVE-2026-0848 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.8%.

PyPI · nltk

Summary

NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of arbit

Severity: critical
EPSS: 0.8% (p51)
Also known as: PYSEC-2026-99
Published: 2026-03-05

References

https://huntr.com/bounties/08b109bb-ac24-403f-9422-1c246ce60202

Related advisories

CVE-2025-14009 — critical · PyPI/nltk
CVE-2026-54293 — high · PyPI/nltk
CVE-2026-33236 — high · PyPI/nltk
CVE-2026-33231 — high · PyPI/nltk
CVE-2026-0846 — high · PyPI/nltk
CVE-2026-0847 — high · PyPI/nltk
CVE-2026-33230 — medium · PyPI/nltk
GHSA-rf74-v2fm-23pw — medium · PyPI/nltk

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.