Stanza is a Stanford NLP Python library for tokenization, sentence segmentation, NER, and parsing of many human languages. Prior to 1.12.2, Stanza model loaders such as stanza.models.common.pretrain.Pretrain.load() attempt torch.load(..., weights_only=True) but fall back to torch.load(..., weights_only=False) on attacker-controllable pickle.UnpicklingError, allowing a malicious .pt pretrain or model file to execute arbitrary pickle code when a Stanza NLP pipeline loads it. This issue is fixed in version 1.12.2.
References
| Link | Resource |
|---|---|
| https://github.com/stanfordnlp/stanza/commit/b745008c68c9e50ccb5acd537cb6f2453f8b7ad4 | Patch |
| https://github.com/stanfordnlp/stanza/pull/1587 | Issue Tracking Patch |
| https://github.com/stanfordnlp/stanza/releases/tag/v1.12.2 | Release Notes |
| https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c | Exploit Vendor Advisory |
| https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c | Exploit Vendor Advisory |
Configurations
History
13 Jul 2026, 14:57
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/stanfordnlp/stanza/commit/b745008c68c9e50ccb5acd537cb6f2453f8b7ad4 - Patch | |
| References | () https://github.com/stanfordnlp/stanza/pull/1587 - Issue Tracking, Patch | |
| References | () https://github.com/stanfordnlp/stanza/releases/tag/v1.12.2 - Release Notes | |
| References | () https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:stanford:stanza:*:*:*:*:*:python:*:* | |
| First Time |
Stanford
Stanford stanza |
09 Jul 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/stanfordnlp/stanza/security/advisories/GHSA-v5jw-96jm-7h2c - |
08 Jul 2026, 23:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-08 23:16
Updated : 2026-07-13 14:57
NVD link : CVE-2026-54499
Mitre link : CVE-2026-54499
CVE.ORG link : CVE-2026-54499
JSON object : View
Products Affected
stanford
- stanza
