CVE-2026-0846

EUVD-2026-10350

09.03.2026, 20:16

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Affected Products (NVD)

Vendor	Product	Version
nltk	nltk	3.9.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nltk

bookworm	no-dsa
bullseye	postponed
forky	3.9.3-1 fixed
sid	3.9.3-1 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

nltk

bionic	Fixed 3.2.5-1ubuntu0.1+esm4 released
focal	Fixed 3.4.5-2ubuntu0.1~esm4 released
jammy	Fixed 3.7-1ubuntu0.1~esm2 released
noble	Fixed 3.8.1-1ubuntu0.1~esm2 released
questing	needed
resolute	Fixed 3.9.2-1ubuntu0.1~esm2 released
trusty	Fixed 2.0~b9-0ubuntu4.1~esm6 released
xenial	ignored

Known Exploits!

Common Weakness Enumeration

CWE-36 - Absolute Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

References

https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb