Directory Traversal Vulnerability in ChatterBot by Gunther Cox
CVE-2026-58198
5.5MEDIUM
What is CVE-2026-58198?
ChatterBot, a machine learning-based conversational dialog engine, contains a directory traversal vulnerability due to the predictable output directory used in the UbuntuCorpusTrainer.extract() function. A local attacker could exploit this by pre-creating a symlink at the specified path, enabling unauthorized writing of extracted archive contents to a location chosen by the attacker. This flaw was addressed in version 1.2.14, which mitigates the risk by changing how files are extracted and managed.
Affected Version(s)
ChatterBot < 1.2.14
