Skip to main content

Nltk CVE-2026-0846

HIGH
Absolute Path Traversal (CWE-36)
2026-03-09 security@huntr.dev GHSA-h8wq-7xc4-p3qx
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 17, 2026 - 21:07 vuln.today
cvss_changed
CVSS changed
Apr 17, 2026 - 21:07 NVD
8.6 (HIGH) 7.5 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
CVE Published
Mar 09, 2026 - 20:16 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 9 pypi packages depend on nltk (9 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.9.3.

DescriptionNVD

A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

AnalysisAI

Unsafe path handling in NLTK's filestring() function enables attackers to read arbitrary files on affected iOS and AI/ML systems through improper input validation. An unauthenticated attacker can exploit this over the network by supplying directory traversal or absolute paths to access sensitive data, with particular risk in deployments exposing the function through web APIs. No patch is currently available for this high-severity vulnerability (CVSS 8.6).

Technical ContextAI

A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept u

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-0846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy