HIGH🇵🇱 Wersja polska

CVE-2026-12243

CVSS 7.5v3.0pub. 2026-06-30

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to `nltk.data.load()` or `nltk.data.find()`. The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default `pathsec.ENFORCE=False` setting exacerbates the impact by not blocking the file read at the `open()` stage.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Nltk

    APP
    Nltk
    3.9.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-0848CRITICAL10.0PL ✓ten sam produkt

RCE w NLTK StanfordSegmenter — ładowanie niezweryfikowanych plików JAR

CVE-2026-54293HIGH7.5ten sam produkt

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting ...

CVE-2026-33236HIGH8.1ten sam produkt

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting ...

CVE-2026-33231HIGH7.5ten sam produkt

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting ...

CVE-2026-0846HIGH7.5ten sam produkt

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrar...