CVE-2026-12243

Source
https://cve.org/CVERecord?id=CVE-2026-12243
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12243.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-12243
Aliases
Downstream
Related
Published
2026-06-30T00:14:35.370Z
Modified
2026-07-08T15:29:24.015781909Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Path Traversal via Percent-Encoding in nltk.data.find() and nltk.data.load()
Details

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The _UNSAFE_NO_PROTOCOL_RE regex in nltk/data.py checks for literal ../ sequences but fails to account for percent-encoded traversal sequences such as ..%2f. The url2pathname() function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to nltk.data.load() or nltk.data.find(). The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default pathsec.ENFORCE=False setting exacerbates the impact by not blocking the file read at the open() stage.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12243.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/nltk/nltk

Affected ranges

Type
GIT
Repo
https://github.com/nltk/nltk
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:nltk:nltk:3.9.4:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "3.9.4"
        },
        {
            "last_affected": "3.9.4"
        }
    ]
}

Affected versions

3.*
3.9.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12243.json"