CVE-2026-0846 HIGH

CVE-2026-0846: Arbitrary File Read via Absolute Path Input in nltk.util.filestring()

Vendor Nltk
Product nltk/nltk
Weakness CWE-36
Published March 9, 2026
Last update June 30, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Key dates

02Disclosure timeline

March 9, 2026 CVE published
June 30, 2026 Record updated