CVE-2026-33236
- Source
- https://cve.org/CVERecord?id=CVE-2026-33236
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33236.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33236
- Aliases
- Downstream
- Related
- Published
- 2026-03-20T22:47:10.308Z
- Modified
- 2026-04-10T05:42:39.568063Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H CVSS Calculator
- Summary
- NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite
- Details
-
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the
subdirandidattributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as../), which can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a patches the issue. - Database specific
{ "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33236.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/nltk/nltk
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nltk/nltk
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed