Fluid Attacks Database

Description

NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring() A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	nltk	=3.9.1-2 \|\| =3.9.2-1 \|\| >=0 <3.9.3-1	3.9.3-1
debian 13	nltk	=3.9.1-2 \|\| =3.9.2-1 \|\| =3.9.3-1	-
debian 11	nltk	=3.5-1 \|\| =3.6.5-1 \|\| =3.6.7-1 \|\| =3.7-1 \|\| =3.8-1 \|\| =3.8.1-1 \|\| =3.9.1-1 \|\| =3.9.1-2 \|\| =3.9.2-1 \|\| =3.9.3-1	-
debian 12	nltk	=3.8-1 \|\| =3.8.1-1 \|\| =3.9.1-1 \|\| =3.9.1-2 \|\| =3.9.2-1 \|\| =3.9.3-1	-
pypi	nltk	>=0 <3.9.3	3.9.3

Aliases

1. CVE-2026-08462. NVD-2026-08463. OSV-DEBIAN-2026-08464. OSV-2026-08465. GCVE-2026-08466. SECURITY-TRACKER-CVE-2026-0846

References

1. https://github.com/nltk/nltk/pull/34852. https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca19743. https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb