Description
A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.
Published: 2026-03-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data disclosure
Action: Update library
AI Analysis

Impact

The vulnerability resides in the filestring() function of nltk.util. It lacks proper sanitization of input paths, allowing an attacker to specify absolute or traversal paths and read arbitrary files from the system. This flaw is identified as CWE‑22 (Path Traversal) and CWE‑36 (Absolute Path Traversal). The primary impact is the potential unauthorized access to sensitive files, which compromises data confidentiality.

Affected Systems

The affected product is the Natural Language Toolkit hosted by the nltk organization, specifically version 3.9.2. No other versions or sub‑products were listed as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level, but the EPSS score is below 1%, meaning the likelihood of exploitation in the wild is low. The vulnerability is not yet listed in the CISA KEV catalog. An attacker can exploit the flaw locally by running code that calls filestring, or remotely if the function is exposed through a web API or user‑provided input. Successful exploitation would allow reading of arbitrary files, potentially exposing credentials, configuration, or other sensitive data.

Generated by OpenCVE AI on April 16, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nltk to the latest available release, ensuring it contains the fix for filestring() path validation.
  • If upgrading is not immediately possible, modify the application to restrict filestring() usage to internal or trusted contexts only, or remove the call from publicly exposed interfaces.
  • Implement explicit path validation in your code, rejecting absolute paths and disallowing traversal sequences before passing input to filestring().

Generated by OpenCVE AI on April 16, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h8wq-7xc4-p3qx NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()
History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Nltk nltk
CPEs cpe:2.3:a:nltk:nltk:3.9.2:*:*:*:*:*:*:*
Vendors & Products Nltk nltk

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Nltk
Nltk nltk/nltk
Vendors & Products Nltk
Nltk nltk/nltk

Tue, 10 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important

Mon, 09 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.
Title Arbitrary File Read via Absolute Path Input in nltk.util.filestring()
Weaknesses CWE-36
References
Metrics cvssV3_0

{'score': 8.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Nltk Nltk Nltk/nltk
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-03-12T14:48:25.181Z

Reserved: 2026-01-10T23:22:13.648Z

Link: CVE-2026-0846

cve-icon Vulnrichment

Updated: 2026-03-12T14:48:13.712Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T20:16:05.703

Modified: 2026-04-17T20:57:00.540

Link: CVE-2026-0846

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-09T19:19:09Z

Links: CVE-2026-0846 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses