๐Ÿ” CVE Alert

CVE-2026-58198

MEDIUM 5.5

ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer

CVSS Score
5.5
EPSS Score
0.0%
EPSS Percentile
0th

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract() uses a predictable home-rooted output directory (~/ubuntu_data/ubuntu_dialogs) with a check-then-create pattern followed by tar.extractall(path=self.data_path), allowing a local attacker who pre-plants a symlink at the predictable path to cause archive contents to be written through the symlink to an attacker-chosen directory. This issue is fixed in version 1.2.14.

CWE CWE-367 CWE-59
Vendor gunthercox
Product chatterbot
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for gunthercox chatterbot

Be the first to know when new medium vulnerabilities affecting gunthercox chatterbot are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

gunthercox / ChatterBot
< 1.2.14

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-wvrh-2f4m-924v github.com: https://github.com/gunthercox/ChatterBot/pull/2445 github.com: https://github.com/gunthercox/ChatterBot/commit/82817b5c28bfd43e682b991bcc76e6f780726dbf github.com: https://github.com/gunthercox/ChatterBot/releases/tag/1.2.14