PT-2026-56905 · Gunthercox · Chatterbot

Published

2026-07-09

·

Updated

2026-07-09

·

CVE-2026-58198

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. Prior to 1.2.14, UbuntuCorpusTrainer.extract() uses a predictable home-rooted output directory (~/ubuntu data/ubuntu dialogs) with a check-then-create pattern followed by tar.extractall(path=self.data path), allowing a local attacker who pre-plants a symlink at the predictable path to cause archive contents to be written through the symlink to an attacker-chosen directory. This issue is fixed in version 1.2.14.

Fix

Link Following

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58198

Affected Products

Chatterbot