Arbitrary File Read Vulnerability in NLTK by NLTK Project
CVE-2026-0846

8.6HIGH

Key Information:

Vendor: Nltk
Status: Nltk/nltk
Vendor: CVE Published:; 9 March 2026

What is CVE-2026-0846?

The filestring() function within the nltk.util module of NLTK version 3.9.2 is susceptible to an arbitrary file read vulnerability due to inadequate input path validation. This flaw allows attackers to leverage the function to open files specified by user input without any sanitization, potentially leading to unauthorized access of sensitive system files. This vulnerability poses risks in both local and remote exploitation scenarios, especially in environments utilizing web APIs or interfaces that process user-supplied input.

Affected Version(s)

nltk/nltk <= unspecified

References

https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c...

CVSS V3.0

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Jan 10, 2026

CVE-2026-0846 Data

JSON

Nltk

What is CVE-2026-0846?

Affected Version(s)

References

CVSS V3.0

Timeline