LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-42027

CVE-2026-42027 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 5, 2026

Apache OpenNLP - Arbitrary Class Instantiation

Published: May 4, 2026Updated: May 5, 2026Remote Exploitable

Overview

Apache OpenNLP before 2.5.9 and 3.0.0-M3 contains an arbitrary class instantiation vulnerability caused by loading classes via Class.forName() before type checks in ExtensionLoader.instantiateExtension, letting attackers trigger static initializers of arbitrary classes during model loading, exploit requires attacker-supplied crafted model archives.

Severity & Score

Severity: Critical
CVSS Score: 9.8

Impact

Attackers can execute static initializers of arbitrary classes, potentially causing side effects like network requests or filesystem access during model loading.

Mitigation

Upgrade to Apache OpenNLP 2.5.9 or 3.0.0-M3 or later versions.

References

Related Resources

Details

CVE ID
CVE-2026-42027
Severity
Critical
CVSS Score
9.8
Type
undefined
Status
new

CWE

  • CWE-470

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H