Directory Traversal Vulnerability in ChatterBot by Gunther Cox
CVE-2026-58198

5.5MEDIUM

Key Information:

Vendor

Gunthercox

Vendor
CVE Published:
9 July 2026

What is CVE-2026-58198?

ChatterBot, a machine learning-based conversational dialog engine, contains a directory traversal vulnerability due to the predictable output directory used in the UbuntuCorpusTrainer.extract() function. A local attacker could exploit this by pre-creating a symlink at the specified path, enabling unauthorized writing of extracted archive contents to a location chosen by the attacker. This flaw was addressed in version 1.2.14, which mitigates the risk by changing how files are extracted and managed.

Affected Version(s)

ChatterBot < 1.2.14

References

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.