Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
Nltk 3.9.2 allows attackers to read any file on your system
DEBIAN-CVE-2026-0846
Summary
A bug in the Nltk library for natural language processing can allow unauthorized access to your system's files if an attacker provides a malicious file path. This could happen if you're using Nltk in a web application or other service that accepts user input. You should update to a fixed version of Nltk to prevent this from happening.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | nltk | All versions | – |
| debian | nltk | All versions | – |
| debian | nltk | All versions | – |
| debian | nltk | All versions | – |
Original title
A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens file...
Original description
A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.
osv CVSS3.1
8.6
- https://security-tracker.debian.org/tracker/CVE-2026-0846 Vendor Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026