CVE-2026-40682

A flaw was found in Apache OpenNLP. A remote attacker can exploit this vulnerability by providing a specially crafted dictionary file. This can lead to an XML External Entity XXE injection, which allows for the disclosure of local files or enables server-side request forgery SSRF, where the serve...

Linux Distros Unpatched Vulnerability : CVE-2026-42027

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The...

GHSA-659W-93R5-9J6M Apache OpenNLP AbstractModelReader has an OOM Denial of Service via Unbounded Array Allocation

OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: Before 2.5.9 Before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes, getOutcomePatterns, and getPredicates each read a 32-bit signed integer count field from a binary...

Apache OpenNLP DictionaryEntryPersistor Vulnerable to XML External Entity (XXE) via Unsanitized Dictionary Parsing

XML External Entity XXE via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURESECUREPROCESSING ...

GHSA-4V8G-86X5-3VRC Apache OpenNLP DictionaryEntryPersistor Vulnerable to XML External Entity (XXE) via Unsanitized Dictionary Parsing

XML External Entity XXE via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURESECUREPROCESSING ...

DEBIAN-CVE-2026-40682

XML External Entity XXE via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURESECUREPROCESSING ...

CVE-2026-42027

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtensionClass, String method loads a class by its fully-qualified name via Class.forName and invokes its no-arg...

CVE-2026-42440

OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes, getOutcomePatterns, and getPredicates each read a 32-bit signed integer count field from a binary...

ae.teletronics.nlp:entityextraction (=1.3), at.researchstudio.sat:won-matcher-rescal (>=0.3 <=0.6) +542 more potentially affected by CVE-2017-12620 via org.apache.opennlp:opennlp-tools (>=1.5.2-incubating <=1.8.1)

org.apache.opennlp:opennlp-tools MAVEN version =1.5.2-incubating, =0.3, =0.2, =3.6.1, =3.11.0, =2.0.0, =2.0.0, =1.1, =0.3, =0.2, =0.6, =0.8 - com.blazemeter:jmeter-plugins-rotating-listener =0.2 - com.centit.support:centit-es-client =0.1.1806 and more Source cves: CVE-2017-12620 Source advisory:...