CVE-2026-0846

Name of the Vulnerable Software and Affected Versions nltk version 3.9.2

Description A flaw exists in the filestring() function within the nltk.util module. This issue allows for arbitrary file reading because of inadequate validation of input paths. The function directly opens files specified by user-provided input without proper sanitization, potentially allowing attackers to access sensitive system files by supplying absolute paths or using path traversal techniques. This can be exploited both locally and remotely, especially in applications where the function is used within web APIs or other interfaces that accept user input. The vulnerable function is filestring().

Recommendations Versions prior to 3.9.2 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.