CVE-2026-0846
NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()
Description
A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.
How to fix CVE-2026-0846
To remediate CVE-2026-0846, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.9.3 or later
- —no fix listed
Is CVE-2026-0846 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, < 3.9.3
- from 0, <= 3.9.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.6 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |