PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33236 nltk CVE debrief

CVE-2026-33236 is a high-severity vulnerability in the Natural Language Toolkit (NLTK) that allows attackers to perform path traversal attacks. The vulnerability exists in versions 3.9.3 and prior, where the NLTK downloader fails to validate the `subdir` and `id` attributes when processing remote XML index files. This allows attackers to control a remote XML index server and provide malicious values containing path traversal sequences, leading to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. The vulnerability has a CVSS score of 8.1 and is considered high severity. A patch has been released in commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a.

Vendor
nltk
Product
Unknown
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-06-30
Advisory published
2026-03-20
Advisory updated
2026-06-30

Who should care

Organizations using NLTK versions 3.9.3 and prior should prioritize patching this vulnerability to prevent potential attacks. Additionally, defenders should review their inventory of NLTK installations and ensure that all instances are updated to a patched version. Red Hat users can refer to errata RHSA-2026:10184 and RHSA-2026:19712 for mitigation guidance.

Technical summary

The NLTK downloader vulnerability allows attackers to perform path traversal attacks by providing malicious `subdir` and `id` attributes in remote XML index files. This can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. The vulnerability is caused by a lack of validation in the downloader and has been patched in commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H.

Defensive priority

High priority should be given to patching NLTK installations, as this vulnerability allows for arbitrary file creation and overwrite. Defenders should review their inventory of NLTK installations and ensure that all instances are updated to a patched version.

Recommended defensive actions

  • Patch NLTK installations to version 3.9.4 or later
  • Review inventory of NLTK installations and ensure all instances are updated
  • Refer to Red Hat errata RHSA-2026:10184 and RHSA-2026:19712 for mitigation guidance
  • Monitor for suspicious activity related to NLTK installations
  • Implement compensating controls to detect and prevent path traversal attacks

Evidence notes

The CVE-2026-33236 vulnerability was reported by the NLTK community and has been patched in commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a. The vulnerability has a CVSS score of 8.1 and is considered high severity. Red Hat has released errata RHSA-2026:10184 and RHSA-2026:19712 to address this vulnerability.

Official resources

This article was generated with AI assistance based on the supplied source corpus.