Path Traversal Vulnerability in NLTK by Natural Language Toolkit
CVE-2026-54293

7.5HIGH

Key Information:

Vendor: Nltk
Status: Nltk
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54293?

The NLTK (Natural Language Toolkit) vulnerability allows attackers to exploit a flaw in the file handling mechanism, particularly through the nltk.data.load() function. This security issue stems from improper validation of URL-encoded path separators, enabling path traversal attacks. Although direct traversal sequences are effectively blocked, encoded variants evade the regex checks, facilitating unauthorized access to sensitive filesystem locations. This threat can lead to leakage of critical data, compromising the security of applications utilizing NLTK. The vulnerability has been addressed in version 3.10.0-rc1.

Affected Version(s)

nltk < 3.10.0-rc1

References

https://github.com/nltk/nltk/security/advisories/GHSA-p4g...

x_refsource_CONFIRM

https://github.com/nltk/nltk/pull/3575

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54293 Data

JSON

Nltk

What is CVE-2026-54293?

Affected Version(s)

References

CVSS V3.1

Timeline