High severity7.5NVD Advisory· Published Mar 9, 2026· Updated Apr 17, 2026
CVE-2026-0846
CVE-2026-0846
Description
A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nltkPyPI | < 3.9.3 | 3.9.3 |
Affected products
2Patches
Vulnerability mechanics
References
6- huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97ebnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-h8wq-7xc4-p3qxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0846ghsaADVISORY
- github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974ghsaWEB
- github.com/nltk/nltk/pull/3485ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-97.yamlghsaWEB
News mentions
0No linked articles in our index yet.