CVE-2026-0846

Publication date 9 March 2026

Last updated 27 May 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

8.6 · High

Score breakdown

Description

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.

Status

Package Ubuntu Release Status
nltk 26.04 LTS resolute
Fixed 3.9.2-1ubuntu0.1~esm2
25.10 questing
Vulnerable
24.04 LTS noble
Fixed 3.8.1-1ubuntu0.1~esm2
22.04 LTS jammy
Fixed 3.7-1ubuntu0.1~esm2
20.04 LTS focal
Fixed 3.4.5-2ubuntu0.1~esm4
18.04 LTS bionic
Fixed 3.2.5-1ubuntu0.1+esm4
16.04 LTS xenial Ignored end of ESM support, was needed
14.04 LTS trusty
Fixed 2.0~b9-0ubuntu4.1~esm6

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
nltk

Severity score breakdown

Parameter Value
Base score 8.6 · High
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact Low
Availability impact Low
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities