CVE-2026-42027 Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

🗓️ 04 May 2026 16:43:12Reported by apacheType

OpenNLP ExtensionLoader may load a class from a model manifest, triggering static init; upgrade to 2.5.9 or 3.0.0-M3.

Reporter	Title	Published	Views	Family All 26
ATTACKERKB	CVE-2026-42027	4 May 202616:43	–	attackerkb
Chainguard	CVE-2026-42027 vulnerabilities	9 May 202613:17	–	cgr
Circl	CVE-2026-42027	5 May 202620:20	–	circl
CNNVD	Apache OpenNLP 安全漏洞	4 May 202600:00	–	cnnvd
CVE	CVE-2026-42027	4 May 202616:43	–	cve
Debian CVE	CVE-2026-42027	4 May 202616:43	–	debiancve
EUVD	EUVD-2026-27005	4 May 202616:43	–	euvd
Github Security Blog	Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest	4 May 202618:30	–	github
NVD	CVE-2026-42027	4 May 202617:16	–	nvd
OSV	CGA-W3C2-H8WR-6JP4	9 May 202616:33	–	osv

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2/",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.opennlp:opennlp-tools",
    "product": "Apache OpenNLP",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.5.9",
        "status": "affected",
        "version": "2.0",
        "versionType": "semver"
      },
      {
        "lessThan": "3.0.0-M3",
        "status": "affected",
        "version": "3.0",
        "versionType": "semver"
      },
      {
        "lessThan": "1.9.5",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y

29 Jun 2026 19:56Current

EPSS0.00693

CWE-470