Plattform
python
Komponente
nltk
Behoben in
3.9.4
3.9.3
CVE-2026-33236 describes a Path Traversal vulnerability within the NLTK (Natural Language Toolkit) downloader. This flaw allows attackers to manipulate remote XML index files to create arbitrary directories and files on the system, potentially overwriting critical files. The vulnerability affects versions of NLTK up to and including 3.9.2. A fix is available via upgrading to a patched version of NLTK.
The core of the vulnerability lies in the NLTK downloader's insufficient validation of the subdir and id attributes within remote XML index files. An attacker controlling a malicious XML index server can craft responses containing path traversal sequences (e.g., ../). This allows them to bypass intended directory restrictions and perform several malicious actions. Specifically, attackers can create directories at arbitrary locations on the file system, create arbitrary files, and, critically, overwrite existing system files. Overwriting files like /etc/passwd or ~/.ssh/authorized_keys could grant attackers unauthorized access and control over the affected system. The potential for arbitrary file overwrite significantly elevates the risk associated with this vulnerability.
CVE-2026-33236 was publicly disclosed on 2026-03-19. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a potential risk. The EPSS score is pending evaluation, but the ability to overwrite system files suggests a potentially high-impact scenario.
Systems running NLTK versions 3.9.2 and earlier are at risk, particularly those where the NLTK downloader is exposed to untrusted XML index servers. Development environments and automated build pipelines that utilize NLTK are also potential targets.
• python / nltk:
import os
import hashlib
def check_nltk_version():
import nltk
version = nltk.version.version
if version <= '3.9.2':
print(f"NLTK version {version} is vulnerable to CVE-2026-33236.")
else:
print(f"NLTK version {version} is not vulnerable.")
check_nltk_version()• generic web: Monitor access logs for requests to NLTK download endpoints containing path traversal sequences (e.g., ../).
• generic web: Check for unexpected files or directories created in system directories.
disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33236 is to upgrade to a patched version of NLTK. Consult the NLTK project's release notes for the latest version. If upgrading is not immediately feasible, consider implementing strict input validation on the subdir and id attributes within the NLTK downloader. This could involve whitelisting allowed characters or enforcing maximum path lengths. Additionally, restrict access to the NLTK downloader to trusted sources and networks. Carefully review any remote XML index files before processing them to identify and reject malicious content. After upgrading, confirm the fix by attempting to download a resource using a known malicious path traversal sequence and verifying that the download fails with an appropriate error.
Actualice la biblioteca NLTK a una versión posterior a 3.9.3. Esto se puede hacer utilizando el gestor de paquetes pip: `pip install --upgrade nltk`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33236 is a Path Traversal vulnerability affecting NLTK versions up to 3.9.2. It allows attackers to create or overwrite files by manipulating remote XML index files.
Yes, if you are using NLTK version 3.9.2 or earlier, you are vulnerable to this Path Traversal vulnerability.
Upgrade to a patched version of NLTK that addresses the vulnerability. Until then, restrict access to the downloader and validate input.
There is currently no confirmed active exploitation of CVE-2026-33236, but the vulnerability's nature suggests it could be exploited.
Refer to the NLTK security advisories and project documentation for updates and official guidance on CVE-2026-33236.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.