CVE-2026-33236 HIGH

CVE-2026-33236: NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite

Vendor Nltk
Product nltk
Weakness CWE-22 · Path traversal
Published March 20, 2026
Last update June 30, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a patches the issue.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
June 30, 2026 Record updated