PatchSiren cyber security CVE debrief
CVE-2026-33236 nltk CVE debrief
CVE-2026-33236 is a high-severity vulnerability in the Natural Language Toolkit (NLTK) that allows attackers to perform path traversal attacks. The vulnerability exists in versions 3.9.3 and prior, where the NLTK downloader fails to validate the `subdir` and `id` attributes when processing remote XML index files. This allows attackers to control a remote XML index server and provide malicious values containing path traversal sequences, leading to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. The vulnerability has a CVSS score of 8.1 and is considered high severity. A patch has been released in commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a.
- Vendor
- nltk
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-30
Who should care
Organizations using NLTK versions 3.9.3 and prior should prioritize patching this vulnerability to prevent potential attacks. Additionally, defenders should review their inventory of NLTK installations and ensure that all instances are updated to a patched version. Red Hat users can refer to errata RHSA-2026:10184 and RHSA-2026:19712 for mitigation guidance.
Technical summary
The NLTK downloader vulnerability allows attackers to perform path traversal attacks by providing malicious `subdir` and `id` attributes in remote XML index files. This can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. The vulnerability is caused by a lack of validation in the downloader and has been patched in commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H.
Defensive priority
High priority should be given to patching NLTK installations, as this vulnerability allows for arbitrary file creation and overwrite. Defenders should review their inventory of NLTK installations and ensure that all instances are updated to a patched version.
Recommended defensive actions
- Patch NLTK installations to version 3.9.4 or later
- Review inventory of NLTK installations and ensure all instances are updated
- Refer to Red Hat errata RHSA-2026:10184 and RHSA-2026:19712 for mitigation guidance
- Monitor for suspicious activity related to NLTK installations
- Implement compensating controls to detect and prevent path traversal attacks
Evidence notes
The CVE-2026-33236 vulnerability was reported by the NLTK community and has been patched in commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a. The vulnerability has a CVSS score of 8.1 and is considered high severity. Red Hat has released errata RHSA-2026:10184 and RHSA-2026:19712 to address this vulnerability.
Official resources
-
CVE-2026-33236 CVE record
CVE.org
-
CVE-2026-33236 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.