Platform
python
Component
nltk
Fixed in
3.9.4
3.9.3
CVE-2026-33236 describes a Path Traversal vulnerability within the NLTK (Natural Language Toolkit) downloader. This flaw allows attackers to manipulate remote XML index files to create arbitrary directories and files on the system, potentially overwriting critical files. The vulnerability affects versions of NLTK up to and including 3.9.2. A fix is available via upgrading to a patched version of NLTK.
The impact of this vulnerability is significant due to the potential for arbitrary file creation and overwriting. An attacker controlling a malicious XML index server could craft a response containing path traversal sequences (e.g., ../) that, when processed by the NLTK downloader, would allow them to write files to unexpected locations. This could lead to the creation of malicious executables, the modification of system configuration files (like /etc/passwd or ~/.ssh/authorized_keys), or the complete compromise of the system. The ability to overwrite system files represents a severe escalation of privileges and a significant security risk.
CVE-2026-33236 was publicly disclosed on 2026-03-19. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a suitable XML index server is controlled. The CVSS score of 8.1 (HIGH) reflects the potential for significant impact.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33236 is to upgrade to a patched version of NLTK that addresses the vulnerability. Until an upgrade is possible, consider implementing strict input validation on the subdir and id attributes when processing remote XML index files. If upgrading is not immediately feasible, restrict network access to the NLTK downloader to trusted sources only. Employ a Web Application Firewall (WAF) to filter requests containing suspicious path traversal sequences. Monitor system logs for unusual file creation or modification activity.
Actualice la biblioteca NLTK a una versión posterior a 3.9.3. Esto se puede hacer utilizando el gestor de paquetes pip: `pip install --upgrade nltk`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33236 is a Path Traversal vulnerability affecting NLTK versions up to 3.9.2. It allows attackers to create or overwrite files by manipulating remote XML index files.
Yes, if you are using NLTK version 3.9.2 or earlier, you are vulnerable to this Path Traversal vulnerability.
Upgrade to a patched version of NLTK that addresses the vulnerability. Until then, restrict access to the downloader and validate input.
There is currently no confirmed active exploitation of CVE-2026-33236, but the vulnerability's nature suggests it could be exploited.
Refer to the NLTK security advisories and project documentation for updates and official guidance on CVE-2026-33236.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.