Cyber Posture

CVE-2026-0846

HighPublic PoC

Published: 09 March 2026

Published
09 March 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0008 24.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0846 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Nltk Nltk. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal enables direct arbitrary file reads from local system (T1005); exposed via web APIs/public apps allows exploitation of public-facing services (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access…

more

sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Deeper analysisAI

CVE-2026-0846 is a path traversal vulnerability (CWE-36) in the `filestring()` function of the `nltk.util` module in NLTK version 3.9.2. The function directly opens files specified by user input without proper path sanitization, enabling arbitrary file reads on the system hosting the affected software. This flaw affects applications using NLTK 3.9.2 that invoke `filestring()` with unsanitized inputs.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), allowing unauthenticated remote attackers to exploit it over the network with low complexity and no user interaction. Exploitation is feasible in scenarios where the function processes user-supplied paths, such as web APIs or other interfaces, granting attackers read access to sensitive system files via absolute paths or directory traversals.

Advisories on Huntr.com (https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb) provide details on the issue through a reported bounty.

NLTK, a Python library for natural language processing, has relevance to AI/ML workflows where vulnerable code may be deployed in data processing pipelines.

Details

CWE(s)
CWE-36

Affected Products

nltk
nltk
3.9.2

CVEs Like This One

CVE-2026-33231Same product: Nltk Nltk
CVE-2026-0847Same product: Nltk Nltk
CVE-2026-33236Same product: Nltk Nltk
CVE-2026-1330Shared CWE-36
CVE-2026-2753Shared CWE-36
CVE-2026-4373Shared CWE-36
CVE-2026-28414Shared CWE-36
CVE-2025-57790Shared CWE-36
CVE-2024-13159Shared CWE-36
CVE-2026-1018Shared CWE-36

References