PatchSiren cyber security CVE debrief
CVE-2026-0846 nltk CVE debrief
CVE-2026-0846 is a high-severity vulnerability in the NLTK library's `filestring()` function, which allows for arbitrary file reads due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input. The vulnerability has a CVSS score of 7.5 and is considered high severity. NLTK version 3.9.2 is affected by this vulnerability.
- Vendor
- nltk
- Product
- nltk/nltk
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-09
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-09
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using NLTK version 3.9.2 in their applications, especially those that expose the `filestring()` function to user input, should be aware of this vulnerability. Additionally, security teams and vulnerability managers should prioritize patching or mitigating this vulnerability to prevent potential exploitation.
Technical summary
The `filestring()` function in NLTK's `nltk.util` module is vulnerable to arbitrary file reads due to improper input validation. An attacker can provide absolute paths or traversal paths to access sensitive system files. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input. The vulnerability has a CVSS score of 7.5 and is considered high severity. CWE-36 and CWE-22 are associated with this vulnerability.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it can be exploited to access sensitive system files. Immediate action is recommended to prevent potential exploitation.
Recommended defensive actions
- Update NLTK to a patched version if available.
- Implement input validation and sanitization for the `filestring()` function.
- Use secure coding practices to prevent path traversal attacks.
- Monitor for suspicious activity and implement logging and auditing.
- Consider implementing compensating controls, such as access controls and file system restrictions.
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and CWE associations. Additional references from Red Hat and Huntr provide further context and potential mitigations.
Official resources
-
CVE-2026-0846 CVE record
CVE.org
-
CVE-2026-0846 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.