Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-43825— Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel

AI Predicted 7.5 Difficulty: Moderate EPSS 4.81% · P91

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

VendorProductVersion RangeStatus
Apache Software FoundationApache OpenNLP :: Core :: ML :: LibSVM3.0.0-M1< 3.0.0-M4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43825

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache OpenNLP :: Core :: ML :: LibSVM: Unsafe Java Deserialization in SvmDoccatModel
Source: NVD (National Vulnerability Database)
Vulnerability Description
Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel Versions Affected:   before 3.0.0-M4 (libsvm document categorization module; introduced in   OPENNLP-1808 and only present on the 3.x line) Description: SvmDoccatModel.deserialize(InputStream) reads an attacker-controlled stream with java.io.ObjectInputStream and calls readObject() without an ObjectInputFilter installed. ObjectInputStream materialises every class referenced in the stream before the resulting object is cast to SvmDoccatModel, so the cast that follows readObject() executes only after the foreign object graph has already been deserialised in full. If a Java deserialization gadget chain is available on the consumer's classpath, a crafted payload supplied to deserialize() executes arbitrary code in the JVM that loads it. Apache OpenNLP itself does not ship a known gadget chain, so the realistic risk is to downstream applications that embed the libsvm module alongside vulnerable transitive dependencies. The method is public and static, so any caller can pass an untrusted stream to it directly. The practical impact is remote code execution against processes that load SvmDoccatModel instances from untrusted or semi-trusted origins. Mitigation: 3.x users should upgrade to 3.0.0-M4. Users who cannot upgrade immediately should treat all serialized SvmDoccatModel streams as untrusted input unless their provenance is verified, and should avoid invoking SvmDoccatModel.deserialize() on streams supplied by end users or fetched from third-party sources without integrity checks.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache OpenNLP :: Core :: ML :: LibSVM 3.0.0-M1 ~ 3.0.0-M4 -

II. Public POCs for CVE-2026-43825

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43825

登录查看更多情报信息。

Mailing List Discussions for CVE-2026-43825 (1)

Same Patch Batch · Apache Software Foundation · 2026-07-06 · 39 CVEs total

CVE-2026-46457Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange withou
CVE-2026-48205Apache Camel DNS: The dns.* and term Exchange header constants used non-Camel-prefixed nam
CVE-2026-48204Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed n
CVE-2026-48203Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-
CVE-2026-46726Apache Camel Vertx Websocket: The inbound consumer maps externally-supplied WebSocket quer
CVE-2026-46592Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed name
CVE-2026-46591Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header a
CVE-2026-46590Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle manager
CVE-2026-46585Apache Camel Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETUR
CVE-2026-46584Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail
CVE-2026-48206Apache Camel JIRA: A set of non-Camel-prefixed Exchange header constants bypass the HTTP h
CVE-2026-46456Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange with
CVE-2026-46455Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the
CVE-2026-46454Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange wi
CVE-2026-46453Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel
CVE-2026-43865Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed H
CVE-2026-42527Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables
CVE-2026-40859Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a
CVE-2026-40047Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argum
CVE-2026-56139Apache Camel Undertow: The muteException consumer option defaulted to false, so a processi

Showing top 20 of 39 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-43825

No comments yet


Leave a comment