CVE-2026-12252 nltk vulnerability
In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes (StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser) are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute them via the `java()` function, which invokes `subprocess.Popen()` without integrity verification. This vulnerability is identical to CVE-2026-0848, which was fixed for StanfordSegmenter by adding SHA256 verification. However, the fix was not applied to these additional classes, leaving them susceptible to arbitrary code execution when loading untrusted JAR files.
Quick answer
nltk should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Review vendor advisory for affected versions.
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CVE-2026-12252 affects NLTK Stanford interface classes that execute user-controllable JAR paths. Until a fixed NLTK release is deployed (a vendor-fixed NLTK release when available, plus immediate controls for untrusted Stanford JAR paths), block untrusted JAR paths and restrict the Stanford tagger/parser interfaces to trusted, integrity-checked artifacts. Affected ranges in the local record are through 3.9.3.
- Inventory Python applications, notebooks, NLP workers, training jobs, and batch pipelines that use NLTK StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, or StanfordNeuralDependencyParser.
- Identify any user, tenant, upload, dataset, environment variable, or configuration path that can control Stanford JAR locations.
- Upgrade to a vendor-fixed NLTK release when available, plus immediate controls for untrusted Stanford JAR paths as soon as the vendor-supported fix is available for the deployed environment.
- Immediately restrict JAR paths to a local allowlist of trusted files and verify SHA256 hashes before invocation.
- Run the NLP workload in a sandboxed account with no production secrets, limited filesystem access, and constrained network permissions.
- Remove or disable workflows that call the affected Stanford interfaces with user-provided files until the patched package and path validation are active.
- Audit job logs and process execution telemetry for unexpected Java commands, unknown JAR paths, suspicious subprocesses, or model files from untrusted sources.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the deployed NLTK package is no longer in the affected range or that runtime controls enforce trusted JAR allowlists and hashes.
- Run tests that pass malicious or unexpected JAR paths to each affected Stanford interface and confirm execution is blocked.
- Check runtime telemetry for Java subprocesses and verify only approved Stanford JAR files are executed.
- Open the generated Fixnx page and confirm the canonical URL ends with nltk-cve-2026-12252.
- Re-run sitemap validation and confirm nltk-cve-2026-12252 appears once in sitemap.xml with the full CVE-2026-12252 suffix.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-12252?
nltk should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
