Sign In

CVE-2026-0846

ADVISORY - github

Summary

A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

EPSS Score: 0.00088 (0.251)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-36

Absolute Path Traversal

ADVISORY - github

CWE-36

Absolute Path Traversal

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-0846
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CWE-36

CVSS SCORE

7.5high

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-h8wq-7xc4-p3qx
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-36

CVSS SCORE

8.6high

Debian

CREATED

UPDATED

ADVISORY IDCVE-2026-0846
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2026-0846
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5medium

PypA

CREATED

UPDATED

ADVISORY ID

PYSEC-2026-97

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.5high