CRITICAL🇵🇱 Wersja polska

CVE-2017-12620

CVSS 9.8v3.0pub. 2017-10-03upd. 2026-05-13

When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since Apache OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. The versions 1.5.0 to 1.5.3, 1.6.0, 1.7.0 to 1.7.2, 1.8.0 to 1.8.1 of Apache OpenNLP are affected.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Opennlp

    APP
    Apache
    1.5.01.5.11.5.21.5.31.6.01.7.01.7.11.7.21.8.01.8.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XXE
CWE
References

Related vulnerabilities

CVE-2026-40682CRITICAL9.1PL ✓ten sam produkt

XXE w Apache OpenNLP — ujawnienie plików i SSRF przez parsowanie słowników

CVE-2026-42027CRITICAL9.8ten sam produkt

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: bef...

CVE-2026-42440HIGH7.5ten sam produkt

OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Versions Affected...

CVE-2025-24813CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych

CVE-2024-38856CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Apache OFBiz — nieautoryzowane wykonanie kodu przez błędną autoryzację