CVE-2026-33236Path Traversal in Nltk

CWE-22Path Traversal8 documents6 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 97.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NltkDebian Nltk
Timeline
PublishedMar 20

Description

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creation, arbitrary file c

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

NVDnltk/nltk3.9.3
PyPInltk/nltk3.9.2
debiandebian/nltk

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-33236: NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Lang2026-03-20
OSV
NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite2026-03-19
GHSA
NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite2026-03-19

📋Vendor Advisories

2
Red Hat
nltk: NLTK: Arbitrary file overwrite and creation via path traversal in XML index files2026-03-20
Debian
CVE-2026-33236: nltk - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data s...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-33236 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33236 — Path Traversal in Nltk | cvebase