PT-2026-56905 · Gunthercox · Chatterbot
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-58198
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract() uses a predictable home-rooted output directory (~/ubuntu data/ubuntu dialogs) with a check-then-create pattern followed by tar.extractall(path=self.data path), allowing a local attacker who pre-plants a symlink at the predictable path to cause archive contents to be written through the symlink to an attacker-chosen directory. This issue is fixed in version 1.2.14.
Fix
Link Following
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Chatterbot