CVE-2026-0846

HIGH

nltk 3.9.2 - Path Traversal

Title source: llm

Description

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb

Scores

CVSS v3 8.6

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Classification

CWE

CWE-36

Status draft

Timeline

Published Mar 09, 2026

Tracked Since Mar 10, 2026