CVE-2026-0846

Exploit

EPSS 0.09%
Veröffentlicht 09.03.2026 19:19:09
Zuletzt bearbeitet 17.04.2026 20:57:00
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Arbitrary File Read via Absolute Path Input in nltk.util.filestring()

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nltk ≫ Nltk Version3.9.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.25

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@huntr.dev	8.6	3.9	4.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE-36 Absolute Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-0846

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-0846

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-0846

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-0846