Home

Description

Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2.

PUBLISHED Reserved 2026-06-15 | Published 2026-07-08 | Updated 2026-07-09 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-502: Deserialization of Untrusted Data

CWE-676: Use of Potentially Dangerous Function

Product status

< 1.12.2
affected

References

github.com/...stanza/security/advisories/GHSA-v5jw-96jm-7h2c exploit

github.com/...stanza/security/advisories/GHSA-v5jw-96jm-7h2c

github.com/stanfordnlp/stanza/pull/1587

github.com/...ommit/b745008c68c9e50ccb5acd537cb6f2453f8b7ad4

github.com/stanfordnlp/stanza/releases/tag/v1.12.2

cve.org (CVE-2026-54499)

nvd.nist.gov (CVE-2026-54499)

Download JSON