CVE-2026-0846: NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()

March 9, 2026 (updated April 18, 2026)

A vulnerability in the filestring() function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

References

github.com/advisories/GHSA-h8wq-7xc4-p3qx
github.com/nltk/nltk
github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974
github.com/nltk/nltk/pull/3485
huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb
nvd.nist.gov/vuln/detail/CVE-2026-0846

Code Behaviors & Features

Detect and mitigate CVE-2026-0846 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →