highCVE-2026-54499

Stanza Model Loader Unsafe Pickle Deserialization RCE Vulnerability

Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2.

ProductStanza
CVSS7.5
EPSS0.00302
UpdatedJuly 10, 2026

Quick answer

Stanford NLP Stanza should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Stanza before 1.12.2

Fixed versions

  • 1.12.2

How to fix it

Stanza before 1.12.2 can fall back to unsafe pickle deserialization while loading model or pretrain files, allowing malicious .pt files to execute code. Update Stanza and remove untrusted models from NLP pipelines.

  1. Inventory Python projects, notebooks, workers, and ML pipelines using stanza before 1.12.2.
  2. Upgrade stanza to 1.12.2 or later in requirements, lockfiles, containers, and runtime images.
  3. Delete untrusted or manually supplied .pt model and pretrain files from shared model directories.
  4. Download Stanza models only from trusted official sources and verify hashes where possible.
  5. Run model loading in a least-privilege sandbox without access to production secrets.
  6. Rotate credentials available to affected NLP workers if untrusted models may have been loaded.
  7. Add dependency scanning and model provenance checks to CI before deploying NLP workloads.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm all runtime environments import stanza 1.12.2 or later.
  • Verify model directories contain only trusted and expected files.
  • Load required models in a test environment and confirm no unsafe fallback behavior occurs.
  • Review logs and filesystem timestamps for unexpected model loading before the upgrade.
  • Run a Fixnx scan and confirm exposed NLP services do not leak model or environment files.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54499?

Stanford NLP Stanza versions listed as affected should be reviewed: Stanza before 1.12.2.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.