HIGH🇬🇧 English

CVE-2026-0846

CVSS 7.5v3.1pub. 2026-03-09upd. 2026-06-30

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Nltk

    APP
    Nltk
    3.9.2
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path Traversal
CWE
Referencje

Powiązane podatności

CVE-2026-0848CRITICAL10.0PL ✓ten sam produkt

RCE w NLTK StanfordSegmenter — ładowanie niezweryfikowanych plików JAR

CVE-2026-12243HIGH7.5ten sam produkt

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. T...

CVE-2026-54293HIGH7.5ten sam produkt

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting ...

CVE-2026-33231HIGH7.5ten sam produkt

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting ...

CVE-2026-33236HIGH8.1ten sam produkt

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting ...