NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()

GHSA-h8wq-7xc4-p3qx · CVE-2026-0846 · PYSEC-2026-97

Published Mar 9, 2026 · Modified Jun 8, 2026

Description

A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-0846
WEB https://github.com/nltk/nltk/pull/3485
WEB https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974
PACKAGE https://github.com/nltk/nltk
WEB https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-97.yaml
WEB https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes