{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-0846","assignerOrgId":"c09c270a-b464-47c1-9133-acb35b22c19a","state":"PUBLISHED","assignerShortName":"@huntr_ai","dateReserved":"2026-01-10T23:22:13.648Z","datePublished":"2026-03-09T19:19:09.464Z","dateUpdated":"2026-06-30T12:07:12.030Z"},"containers":{"cna":{"title":"Arbitrary File Read via Absolute Path Input in nltk.util.filestring()","providerMetadata":{"orgId":"c09c270a-b464-47c1-9133-acb35b22c19a","shortName":"@huntr_ai","dateUpdated":"2026-03-09T19:19:09.464Z"},"descriptions":[{"lang":"en","value":"A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input."}],"affected":[{"vendor":"nltk","product":"nltk/nltk","versions":[{"version":"unspecified","status":"affected","versionType":"custom","lessThanOrEqual":"latest"}]}],"references":[{"url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"}],"metrics":[{"cvssV3_0":{"version":"3.0","attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","baseScore":8.6,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-36 Absolute Path Traversal","cweId":"CWE-36"}]}],"source":{"advisory":"007b84f8-418e-4300-99d0-bf504c2f97eb","discovery":"EXTERNAL"}},"adp":[{"references":[{"url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-12T14:48:03.077006Z","id":"CVE-2026-0846","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-12T14:48:25.181Z"}},{"affected":[{"cpes":["cpe:/a:redhat:openshift_ai:2.25::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 2.25","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai:3.3::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift AI 3.3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:lightspeed_core"],"defaultStatus":"affected","product":"Lightspeed Core","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"affected","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"}],"datePublic":"2026-03-09T19:19:09.464Z","descriptions":[{"lang":"en","value":"A flaw was found in the `nltk` component. This vulnerability, specifically within the `filestring()` function of the `nltk.util` module, allows an attacker to perform arbitrary file reads. By providing specially crafted input paths, either absolute or using directory traversal, an attacker can bypass input validation and access sensitive system files. This can be exploited both locally and remotely, particularly when the function processes user-supplied input in applications like web APIs."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-0846"},{"name":"RHBZ#2445826","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445826"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-0846.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19712"}],"solutions":[{"lang":"en","value":"RHSA-2026:10184: Red Hat OpenShift AI 2.25"},{"lang":"en","value":"RHSA-2026:19712: Red Hat OpenShift AI 3.3"}],"timeline":[{"lang":"en","time":"2026-03-09T20:01:29.643Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-09T19:19:09.464Z","value":"Made public."}],"title":"nltk: NLTK: Arbitrary file read via improper path validation in `filestring()` function","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:12.030Z"}}]}}