CVE-2026-0846

EUVD-2026-10350

09.03.2026, 20:16

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
nltk	nltk	3.9.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

nltk

bookworm	no-dsa
bullseye	postponed
forky	3.9.3-1 fixed
sid	3.9.3-1 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

nltk

bionic	needed
focal	needed
jammy	needed
noble	needed
questing	needed
resolute	needed
trusty	needed
xenial	needed

Known Exploits!

Common Weakness Enumeration

CWE-36 - Absolute Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

References

https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb