Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    10 vulnerabilities by stanfordnlp

    CVE-2026-54499 (GCVE-0-2026-54499)

    Vulnerability from nvd – Published: 2026-07-08 22:23 – Updated: 2026-07-08 22:23
    VLAI
    Title
    Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
    Summary
    Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-676 - Use of Potentially Dangerous Function
    Assigner
    Impacted products
    Vendor Product Version
    stanfordnlp stanza Affected: < 1.12.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "stanza",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.12.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-676",
                  "description": "CWE-676: Use of Potentially Dangerous Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T22:23:02.664Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c"
            },
            {
              "name": "https://github.com/stanfordnlp/stanza/pull/1587",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/stanza/pull/1587"
            },
            {
              "name": "https://github.com/stanfordnlp/stanza/commit/b745008c68c9e50ccb5acd537cb6f2453f8b7ad4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/stanza/commit/b745008c68c9e50ccb5acd537cb6f2453f8b7ad4"
            },
            {
              "name": "https://github.com/stanfordnlp/stanza/releases/tag/v1.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/stanza/releases/tag/v1.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-v5jw-96jm-7h2c",
            "discovery": "UNKNOWN"
          },
          "title": "Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54499",
        "datePublished": "2026-07-08T22:23:02.664Z",
        "dateReserved": "2026-06-15T18:01:15.511Z",
        "dateUpdated": "2026-07-08T22:23:02.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-0239 (GCVE-0-2022-0239)

    Vulnerability from nvd – Published: 2022-01-17 06:15 – Updated: 2024-08-23 14:38
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , < 4.3.3 (custom)
    Create a notification for this product.
    stanford corenlp Affected: 0 , < 4.3.3 (custom)
        cpe:2.3:a:stanford:corenlp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:42.857Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:stanford:corenlp:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "corenlp",
                "vendor": "stanford",
                "versions": [
                  {
                    "lessThan": "4.3.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-0239",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-23T03:55:39.631494Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-23T14:38:48.375Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThan": "4.3.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-17T06:15:11.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
            }
          ],
          "source": {
            "advisory": "a717aec2-5646-4a5f-ade0-dadc25736ae3",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0239",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.3.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
                }
              ]
            },
            "source": {
              "advisory": "a717aec2-5646-4a5f-ade0-dadc25736ae3",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0239",
        "datePublished": "2022-01-17T06:15:11.000Z",
        "dateReserved": "2022-01-16T00:00:00.000Z",
        "dateUpdated": "2024-08-23T14:38:48.375Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0198 (GCVE-0-2022-0198)

    Vulnerability from nvd – Published: 2022-01-13 06:45 – Updated: 2024-08-02 23:18
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , < 4.3.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:42.562Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThan": "4.3.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T06:45:10.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
            }
          ],
          "source": {
            "advisory": "3d7e70fe-dddd-4b79-af62-8e058c4d5763",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0198",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.3.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
                }
              ]
            },
            "source": {
              "advisory": "3d7e70fe-dddd-4b79-af62-8e058c4d5763",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0198",
        "datePublished": "2022-01-13T06:45:10.000Z",
        "dateReserved": "2022-01-12T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:18:42.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3869 (GCVE-0-2021-3869)

    Vulnerability from nvd – Published: 2021-10-19 12:30 – Updated: 2024-08-03 17:09
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , ≤ 4.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.917Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-19T12:30:32.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a"
            }
          ],
          "source": {
            "advisory": "2f8baf6c-14b3-420d-8ede-9805797cd324",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2021-3869",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a"
                }
              ]
            },
            "source": {
              "advisory": "2f8baf6c-14b3-420d-8ede-9805797cd324",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2021-3869",
        "datePublished": "2021-10-19T12:30:32.000Z",
        "dateReserved": "2021-10-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:09.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3878 (GCVE-0-2021-3878)

    Vulnerability from nvd – Published: 2021-10-15 13:40 – Updated: 2024-08-03 17:09
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , ≤ 4.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.613Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-15T13:40:21.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"
            }
          ],
          "source": {
            "advisory": "a11c889b-ccff-4fea-9e29-963a23a63dd2",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2021-3878",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"
                }
              ]
            },
            "source": {
              "advisory": "a11c889b-ccff-4fea-9e29-963a23a63dd2",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2021-3878",
        "datePublished": "2021-10-15T13:40:21.000Z",
        "dateReserved": "2021-10-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:09.613Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-54499 (GCVE-0-2026-54499)

    Vulnerability from cvelistv5 – Published: 2026-07-08 22:23 – Updated: 2026-07-08 22:23
    VLAI
    Title
    Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
    Summary
    Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2.
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-676 - Use of Potentially Dangerous Function
    Assigner
    Impacted products
    Vendor Product Version
    stanfordnlp stanza Affected: < 1.12.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "stanza",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.12.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-676",
                  "description": "CWE-676: Use of Potentially Dangerous Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T22:23:02.664Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c"
            },
            {
              "name": "https://github.com/stanfordnlp/stanza/pull/1587",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/stanza/pull/1587"
            },
            {
              "name": "https://github.com/stanfordnlp/stanza/commit/b745008c68c9e50ccb5acd537cb6f2453f8b7ad4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/stanza/commit/b745008c68c9e50ccb5acd537cb6f2453f8b7ad4"
            },
            {
              "name": "https://github.com/stanfordnlp/stanza/releases/tag/v1.12.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/stanza/releases/tag/v1.12.2"
            }
          ],
          "source": {
            "advisory": "GHSA-v5jw-96jm-7h2c",
            "discovery": "UNKNOWN"
          },
          "title": "Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54499",
        "datePublished": "2026-07-08T22:23:02.664Z",
        "dateReserved": "2026-06-15T18:01:15.511Z",
        "dateUpdated": "2026-07-08T22:23:02.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-0239 (GCVE-0-2022-0239)

    Vulnerability from cvelistv5 – Published: 2022-01-17 06:15 – Updated: 2024-08-23 14:38
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , < 4.3.3 (custom)
    Create a notification for this product.
    stanford corenlp Affected: 0 , < 4.3.3 (custom)
        cpe:2.3:a:stanford:corenlp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:42.857Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:stanford:corenlp:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "corenlp",
                "vendor": "stanford",
                "versions": [
                  {
                    "lessThan": "4.3.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-0239",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-23T03:55:39.631494Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-23T14:38:48.375Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThan": "4.3.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-17T06:15:11.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
            }
          ],
          "source": {
            "advisory": "a717aec2-5646-4a5f-ade0-dadc25736ae3",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0239",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.3.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3dd"
                }
              ]
            },
            "source": {
              "advisory": "a717aec2-5646-4a5f-ade0-dadc25736ae3",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0239",
        "datePublished": "2022-01-17T06:15:11.000Z",
        "dateReserved": "2022-01-16T00:00:00.000Z",
        "dateUpdated": "2024-08-23T14:38:48.375Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0198 (GCVE-0-2022-0198)

    Vulnerability from cvelistv5 – Published: 2022-01-13 06:45 – Updated: 2024-08-02 23:18
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , < 4.3.3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:18:42.562Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThan": "4.3.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-13T06:45:10.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
            }
          ],
          "source": {
            "advisory": "3d7e70fe-dddd-4b79-af62-8e058c4d5763",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0198",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "4.3.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/3d7e70fe-dddd-4b79-af62-8e058c4d5763"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/1f52136321cfca68b991bd7870563d06cf96624d"
                }
              ]
            },
            "source": {
              "advisory": "3d7e70fe-dddd-4b79-af62-8e058c4d5763",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0198",
        "datePublished": "2022-01-13T06:45:10.000Z",
        "dateReserved": "2022-01-12T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:18:42.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3869 (GCVE-0-2021-3869)

    Vulnerability from cvelistv5 – Published: 2021-10-19 12:30 – Updated: 2024-08-03 17:09
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , ≤ 4.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.917Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-19T12:30:32.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a"
            }
          ],
          "source": {
            "advisory": "2f8baf6c-14b3-420d-8ede-9805797cd324",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2021-3869",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/2f8baf6c-14b3-420d-8ede-9805797cd324"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/5d83f1e8482ca304db8be726cad89554c88f136a"
                }
              ]
            },
            "source": {
              "advisory": "2f8baf6c-14b3-420d-8ede-9805797cd324",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2021-3869",
        "datePublished": "2021-10-19T12:30:32.000Z",
        "dateReserved": "2021-10-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:09.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-3878 (GCVE-0-2021-3878)

    Vulnerability from cvelistv5 – Published: 2021-10-15 13:40 – Updated: 2024-08-03 17:09
    VLAI
    Title
    Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
    Summary
    corenlp is vulnerable to Improper Restriction of XML External Entity Reference
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    stanfordnlp stanfordnlp/corenlp Affected: unspecified , ≤ 4.3.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T17:09:09.613Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "stanfordnlp/corenlp",
              "vendor": "stanfordnlp",
              "versions": [
                {
                  "lessThanOrEqual": "4.3.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-15T13:40:21.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"
            }
          ],
          "source": {
            "advisory": "a11c889b-ccff-4fea-9e29-963a23a63dd2",
            "discovery": "EXTERNAL"
          },
          "title": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2021-3878",
              "STATE": "PUBLIC",
              "TITLE": "Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "stanfordnlp/corenlp",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "4.3.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "stanfordnlp"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "corenlp is vulnerable to Improper Restriction of XML External Entity Reference"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-611 Improper Restriction of XML External Entity Reference"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"
                },
                {
                  "name": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99",
                  "refsource": "MISC",
                  "url": "https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"
                }
              ]
            },
            "source": {
              "advisory": "a11c889b-ccff-4fea-9e29-963a23a63dd2",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2021-3878",
        "datePublished": "2021-10-15T13:40:21.000Z",
        "dateReserved": "2021-10-12T00:00:00.000Z",
        "dateUpdated": "2024-08-03T17:09:09.613Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }