{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://docs.wproofreader.com/v6.13.0/faq/technical/security/webspellchecker-security-advisory-wsc-sa-2026-001",
  "author": "WebSpellChecker <support@webspellchecker.net>",
  "timestamp": "2026-05-12T00:00:00Z",
  "last_updated": "2026-05-20T00:00:00Z",
  "version": 2,
  "statements": [
    {
      "vulnerability": { "name": "CVE-2026-42027" },
      "products": [
        {
          "@id": "pkg:maven/org.apache.opennlp/opennlp-tools@1.9.4"
        }
      ],
      "status": "not_affected",
      "justification": "inline_mitigations_already_exist",
      "impact_statement": "WProofreader only loads vendor-supplied OpenNLP models bundled in the container image at build time. No user-supplied or externally fetched models are accepted at runtime. Additionally, the bundled OpenNLP models are verified by SHA-256 at load time. A failed check blocks startup, closing the tampering path described in WSC-SA-2026-001. Even if the vulnerability were exploitable, the CVSS score would be 6.3 (Medium) rather than 9.8 (Critical), as exploitation requires local access to the container filesystem (AV:L), high privileges (PR:H), high attack complexity (AC:H), and a service restart (UI:R). Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H."
    },
    {
      "vulnerability": { "name": "CVE-2026-40682" },
      "products": [
        {
          "@id": "pkg:maven/org.apache.opennlp/opennlp-tools@1.9.4"
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path",
      "impact_statement": "The vulnerable class DictionaryEntryPersistor is present in the opennlp-tools JAR but is never loaded or referenced at runtime. A source code search of the LanguageTool tree shows zero imports and zero invocations of the opennlp.tools.dictionary package. Even if the vulnerability were exploitable, the CVSS score would be 5.6 (Medium) rather than 9.1 (Critical). Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N."
    },
    {
      "vulnerability": { "name": "CVE-2026-42440" },
      "products": [
        {
          "@id": "pkg:maven/org.apache.opennlp/opennlp-tools@1.9.4"
        }
      ],
      "status": "not_affected",
      "justification": "inline_mitigations_already_exist",
      "impact_statement": "OpenNLP models are loaded at application startup, but only from vendor-supplied .bin files bundled in the container image at build time. No user-supplied or externally fetched models are accepted at runtime. Additionally, the bundled OpenNLP models are verified by SHA-256 at load time. A failed check blocks startup, closing the tampering path described in WSC-SA-2026-001. Even if the vulnerability were exploitable, the CVSS score would be 4.0 (Medium) rather than 7.5 (High). Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H."
    }
  ]
}