CVE-2026-0846
Arbitrary File Read via Absolute Path Input in nltk.util.filestring()
CVSS Score
8.6
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.
| CWE | CWE-36 |
| Vendor | nltk |
| Product | nltk/nltk |
| Published | Mar 9, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for nltk nltk/nltk
Be the first to know when new high vulnerabilities affecting nltk nltk/nltk are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Affected Versions
nltk / nltk/nltk
unspecified โค latest