PT-2026-55955 · Apache · Apache Opennlp

Subramanian S

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-43825

CVSS v3.1

7.3

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Apache OpenNLP versions prior to 3.0.0-M4
Description Untrusted Java deserialization occurs in the SvmDoccatModel.deserialize(InputStream) function. The function uses java.io.ObjectInputStream to read an attacker-controlled stream and calls readObject() without an ObjectInputFilter. Because the object graph is fully deserialized before being cast to SvmDoccatModel, an attacker can execute arbitrary code in the JVM if a deserialization gadget chain is present on the classpath. This issue primarily affects downstream applications that embed the libsvm module alongside vulnerable transitive dependencies.
Recommendations Upgrade to version 3.0.0-M4. Avoid invoking the SvmDoccatModel.deserialize() function on streams supplied by end users or fetched from third-party sources without integrity checks.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43825

Affected Products

Apache Opennlp