CVE-2026-54293

Source
https://cve.org/CVERecord?id=CVE-2026-54293
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54293.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54293
Aliases
Downstream
Related
Published
2026-06-22T17:25:05.611Z
Modified
2026-07-08T15:29:23.058365523Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
NLTK: URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read
Details

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Prior to 3.10.0-rc1, nltk.data.load() in NLTK is vulnerable to path traversal via URL-encoded path separators and traversal segments when using the nltk: URL scheme. The unsafe-path regex check is performed before url2pathname() decodes the %xx sequences (a classic decode-after-check / TOCTOU-style flaw), allowing an attacker to bypass the protection documented in NLTK's SECURITY.md and read arbitrary files from the filesystem. While literal traversal strings such as ../../../etc/passwd are correctly blocked, encoded variants such as %2fetc%2fpasswd, %2e%2e%2f..., and ..%2f..%2f slip past the regex and are subsequently decoded into a real filesystem path. This vulnerability is fixed in 3.10.0-rc1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54293.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/nltk/nltk

Affected ranges

Type
GIT
Repo
https://github.com/nltk/nltk
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.10.0-rc1"
        }
    ]
}

Affected versions

2.*
2.0.1rc1
2.0.1rc2
2.0.1rc3
2.0.1rc4
3.*
3.0.0b1
3.0.2
3.0.3
3.0.4
3.0.5
3.0a4
3.1
3.2
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3
3.4
3.4.1
3.4.3
3.4.4
3.5
3.5b1
3.6
3.6.1
3.6.2
3.6.5
3.6.6
3.6.7
3.7
3.8
3.8.1
3.8.2
3.9
3.9.1
3.9.2
3.9.3
3.9.4
v3.*
v3.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54293.json"