CVE-2026-54499
Received Received - Intake

Arbitrary Code Execution in Stanza NLP Library

Vulnerability report for CVE-2026-54499, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
stanford stanza 1.12.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-676 The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Stanford NLP Python library called Stanza, specifically in versions prior to 1.12.2. The issue occurs when Stanza model loaders, such as stanza.models.common.pretrain.Pretrain.load(), try to load model files using torch.load with the weights_only=True option. If this attempt fails due to a pickle.UnpicklingError, the loader falls back to using torch.load with weights_only=False on a file that can be controlled by an attacker. This fallback allows a malicious .pt pretrain or model file to execute arbitrary code through Python's pickle mechanism when the Stanza NLP pipeline loads it.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code on the system running the Stanza NLP pipeline. Since the malicious code is executed during the loading of a crafted model file, an attacker could potentially take control of the affected system, leading to data compromise, system disruption, or further exploitation.

Mitigation Strategies

To mitigate this vulnerability, upgrade the Stanza library to version 1.12.2 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart