PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-0846 nltk CVE debrief

CVE-2026-0846 is a high-severity vulnerability in the NLTK library's `filestring()` function, which allows for arbitrary file reads due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input. The vulnerability has a CVSS score of 7.5 and is considered high severity. NLTK version 3.9.2 is affected by this vulnerability.

Vendor
nltk
Product
nltk/nltk
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-09
Original CVE updated
2026-06-30
Advisory published
2026-03-09
Advisory updated
2026-06-30

Who should care

Developers and administrators using NLTK version 3.9.2 in their applications, especially those that expose the `filestring()` function to user input, should be aware of this vulnerability. Additionally, security teams and vulnerability managers should prioritize patching or mitigating this vulnerability to prevent potential exploitation.

Technical summary

The `filestring()` function in NLTK's `nltk.util` module is vulnerable to arbitrary file reads due to improper input validation. An attacker can provide absolute paths or traversal paths to access sensitive system files. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input. The vulnerability has a CVSS score of 7.5 and is considered high severity. CWE-36 and CWE-22 are associated with this vulnerability.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it can be exploited to access sensitive system files. Immediate action is recommended to prevent potential exploitation.

Recommended defensive actions

  • Update NLTK to a patched version if available.
  • Implement input validation and sanitization for the `filestring()` function.
  • Use secure coding practices to prevent path traversal attacks.
  • Monitor for suspicious activity and implement logging and auditing.
  • Consider implementing compensating controls, such as access controls and file system restrictions.

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and CWE associations. Additional references from Red Hat and Huntr provide further context and potential mitigations.

Official resources

This article is AI-assisted and based on the supplied source corpus.