CVE-2026-42027

A flaw was found in Apache OpenNLP. An attacker, by providing a specially crafted model archive, can exploit a vulnerability in the ExtensionLoader component. This allows the attacker to force the system to load and initialize any class present on the classpath, executing its static initializer...

SUSE CVE-2026-40682

XML External Entity XXE via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURESECUREPROCESSING ...

GHSA-CX4M-2P55-RW7J Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtensionClass, String method loads a class by its fully-qualified name via Class.forName and invokes its no-arg...

UBUNTU-CVE-2026-42440

OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes, getOutcomePatterns, and getPredicates each read a 32-bit signed integer count field from a binary...

CVE-2026-40682 Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor

XML External Entity XXE via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURESECUREPROCESSING ...

CVE-2026-42027

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtensionClass, String method loads a class by its fully-qualified name via Class.forName and invokes its no-arg...

CVE-2026-42027 Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtensionClass, String method loads a class by its fully-qualified name via Class.forName and invokes its no-arg...

Apache OpenNLP 安全漏洞

Apache OpenNLP is a natural language processing toolkit developed by the Apache Foundation. Versions of Apache OpenNLP prior to 2.5.9 and 3.0.0-M3 contained security vulnerabilities. These vulnerabilities stemmed from the ExtensionLoader.instantiateExtension method, which loaded and initialized...

EUVD-2022-4039

Malicious code in bioql PyPI...

Improper Restriction of XML External Entity Reference in Apache OpenNLP

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache...

Security Bulletin: IBM Cognos Analytics with Watson 11.2.1 has addressed multiple vulnerabilities

Summary Security vulnerabilities have been addressed in IBM Cognos Analytics with Watson 11.2.1 Vulnerability Details CVEID: CVE-2017-12620 DESCRIPTION: Apache OpenNLP could allow a remote attacker to obtain sensitive information, caused by an XXE attack when loading models or dictionaries that...

Apache OpenNLP XXE Vulnerability

Exploit for multiple platform in category remote exploits CVE-2017-12620 - Apache OpenNLP XXE vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: OpenNLP 1.5.0 to 1.5.3 OpenNLP 1.6.0 OpenNLP 1.7.0 to 1.7.2 OpenNLP 1.8.0 to 1.8.1 Description: When loading model...

XML External Entity Processing (XXE)

Apache OpenNLP is vulnerable to XML external entity processing XXE attacks. The attacks can be launched because it does not sanitize the XML in the input, allowing the attackers to parse models or dictionaries with malicious XML...

Design/Logic Flaw

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache...

CVE-2017-12620

CVE-2017-12620 describes an XML External Entity (XXE) vulnerability in Apache OpenNLP when loading models or dictionaries that contain XML from untrusted sources. The connected documents identify the affected OpenNLP versions: 1.5.0–1.5.3, 1.6.0, and 1.7.0–1.7.2, 1.8.0–1.8.1. The XXE issue is the...

CVE-2017-12620

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache...