Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/240102?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/240102?format=api", "purl": "pkg:pypi/nltk@3.2.5", "type": "pypi", "namespace": "", "name": "nltk", "version": "3.2.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.9.4", "latest_non_vulnerable_version": "3.9.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36821?format=api", "vulnerability_id": "VCID-1n1s-amsg-83aa", "summary": "NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39705", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.10792", "scoring_system": "epss", "scoring_elements": "0.93494", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.10792", "scoring_system": "epss", "scoring_elements": "0.93497", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39705" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2" }, { "reference_url": "https://github.com/nltk/nltk/issues/2522", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/" } ], "url": "https://github.com/nltk/nltk/issues/2522" }, { "reference_url": "https://github.com/nltk/nltk/issues/3266", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/" } ], "url": "https://github.com/nltk/nltk/issues/3266" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml" }, { "reference_url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/" } ], "url": "https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423", "reference_id": "1074423", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39705", "reference_id": "CVE-2024-39705", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39705" }, { "reference_url": "https://github.com/advisories/GHSA-cgvx-9447-vcch", "reference_id": "GHSA-cgvx-9447-vcch", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cgvx-9447-vcch" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41797?format=api", "purl": "pkg:pypi/nltk@3.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-924g-fe71-9uhp" }, { "vulnerability": "VCID-94me-p193-vfb8" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" }, { "vulnerability": "VCID-rkj9-d4q7-aqhv" }, { "vulnerability": "VCID-un8t-2sde-ekc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9" } ], "aliases": [ "CVE-2024-39705", "GHSA-cgvx-9447-vcch", "PYSEC-2024-167" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1n1s-amsg-83aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35876?format=api", "vulnerability_id": "VCID-48uj-cw5e-mucw", "summary": "nltk is vulnerable to Inefficient Regular Expression Complexity", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00433", "scoring_system": "epss", "scoring_elements": "0.63112", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00433", "scoring_system": "epss", "scoring_elements": "0.6306", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00433", "scoring_system": "epss", "scoring_elements": "0.63089", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00433", "scoring_system": "epss", "scoring_elements": "0.63102", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00433", "scoring_system": "epss", "scoring_elements": "0.63104", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3828" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828" }, { "reference_url": "https://github.com/advisories/GHSA-2ww3-fxvq-293j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2ww3-fxvq-293j" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6" }, { "reference_url": "https://github.com/nltk/nltk/pull/2816", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/pull/2816" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml" }, { "reference_url": "https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226", "reference_id": "995226", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226" }, { "reference_url": "https://security.archlinux.org/AVG-2423", "reference_id": "AVG-2423", "reference_type": "", "scores": [ { "value": "Low", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2423" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3828", "reference_id": "CVE-2021-3828", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3828" }, { "reference_url": "https://usn.ubuntu.com/USN-5215-1/", "reference_id": "USN-USN-5215-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5215-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23632?format=api", "purl": "pkg:pypi/nltk@3.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n1s-amsg-83aa" }, { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-924g-fe71-9uhp" }, { "vulnerability": "VCID-94me-p193-vfb8" }, { "vulnerability": "VCID-ajve-q4uj-qffv" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" }, { "vulnerability": "VCID-muw6-dqdh-u3fb" }, { "vulnerability": "VCID-rkj9-d4q7-aqhv" }, { "vulnerability": "VCID-un8t-2sde-ekc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.4" } ], "aliases": [ "CVE-2021-3828", "GHSA-2ww3-fxvq-293j", "PYSEC-2021-356" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-48uj-cw5e-mucw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64750?format=api", "vulnerability_id": "VCID-5skj-ygwz-73e6", "summary": "nltk: NLTK: Denial of Service via unauthenticated remote shutdown", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33231", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05671", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05727", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05713", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05714", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33231" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/" } ], "url": "https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b" }, { "reference_url": "https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/" } ], "url": "https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33231", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33231" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459", "reference_id": "1131459", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449836", "reference_id": "2449836", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449836" }, { "reference_url": "https://github.com/advisories/GHSA-jm6w-m3j8-898g", "reference_id": "GHSA-jm6w-m3j8-898g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jm6w-m3j8-898g" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19712", "reference_id": "RHSA-2026:19712", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19712" }, { "reference_url": "https://usn.ubuntu.com/8302-1/", "reference_id": "USN-8302-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8302-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112851?format=api", "purl": "pkg:pypi/nltk@3.9.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4" } ], "aliases": [ "CVE-2026-33231", "GHSA-jm6w-m3j8-898g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5skj-ygwz-73e6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64749?format=api", "vulnerability_id": "VCID-924g-fe71-9uhp", "summary": "nltk: NLTK: Arbitrary file overwrite and creation via path traversal in XML index files", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33236", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06486", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.0654", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06538", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06527", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33236" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/" } ], "url": "https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a" }, { "reference_url": "https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/" } ], "url": "https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33236", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33236" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460", "reference_id": "1131460", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449824", "reference_id": "2449824", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449824" }, { "reference_url": "https://github.com/advisories/GHSA-469j-vmhf-r6v7", "reference_id": "GHSA-469j-vmhf-r6v7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-469j-vmhf-r6v7" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19712", "reference_id": "RHSA-2026:19712", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19712" }, { "reference_url": "https://usn.ubuntu.com/8302-1/", "reference_id": "USN-8302-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8302-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47638?format=api", "purl": "pkg:pypi/nltk@3.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3" } ], "aliases": [ "CVE-2026-33236", "GHSA-469j-vmhf-r6v7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-924g-fe71-9uhp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37215?format=api", "vulnerability_id": "VCID-94me-p193-vfb8", "summary": "A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-14009", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00878", "scoring_system": "epss", "scoring_elements": "0.7569", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00878", "scoring_system": "epss", "scoring_elements": "0.75702", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00878", "scoring_system": "epss", "scoring_elements": "0.75712", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00878", "scoring_system": "epss", "scoring_elements": "0.75715", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-14009" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1" }, { "reference_url": "https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18" }, { "reference_url": "https://github.com/nltk/nltk/pull/3468", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/pull/3468" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml" }, { "reference_url": "https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4", "reference_id": "", "reference_type": "", "scores": [ { "value": "10", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-19T04:55:48Z/" } ], "url": "https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474", "reference_id": "1128474", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440724", "reference_id": "2440724", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440724" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14009", "reference_id": "CVE-2025-14009", "reference_type": "", "scores": [ { "value": "10.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14009" }, { "reference_url": "https://github.com/advisories/GHSA-7p94-766c-hgjp", "reference_id": "GHSA-7p94-766c-hgjp", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7p94-766c-hgjp" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://usn.ubuntu.com/8214-1/", "reference_id": "USN-8214-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8214-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47638?format=api", "purl": "pkg:pypi/nltk@3.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3" } ], "aliases": [ "CVE-2025-14009", "GHSA-7p94-766c-hgjp", "PYSEC-2026-96" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-94me-p193-vfb8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35945?format=api", "vulnerability_id": "VCID-ajve-q4uj-qffv", "summary": "nltk is vulnerable to Inefficient Regular Expression Complexity", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3842", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.37977", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.38041", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.38071", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.38068", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.38007", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3842" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842" }, { "reference_url": "https://github.com/advisories/GHSA-rqjh-jp2r-59cj", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rqjh-jp2r-59cj" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d" }, { "reference_url": "https://github.com/nltk/nltk/pull/2906", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/pull/2906" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml" }, { "reference_url": "https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142", "reference_id": "1003142", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3842", "reference_id": "CVE-2021-3842", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3842" }, { "reference_url": "https://usn.ubuntu.com/7365-1/", "reference_id": "USN-7365-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7365-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/26291?format=api", "purl": "pkg:pypi/nltk@3.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n1s-amsg-83aa" }, { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-924g-fe71-9uhp" }, { "vulnerability": "VCID-94me-p193-vfb8" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" }, { "vulnerability": "VCID-rkj9-d4q7-aqhv" }, { "vulnerability": "VCID-un8t-2sde-ekc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6" } ], "aliases": [ "CVE-2021-3842", "GHSA-rqjh-jp2r-59cj", "PYSEC-2022-5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ajve-q4uj-qffv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91116?format=api", "vulnerability_id": "VCID-c8bp-rz92-53g8", "summary": "Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS\n### Summary\n`JSONTaggedDecoder.decode_obj()` in `nltk/jsontags.py` calls itself \nrecursively without any depth limit. A deeply nested JSON structure \nexceeding `sys.getrecursionlimit()` (default: 1000) will raise an \nunhandled `RecursionError`, crashing the Python process.\n\n### Affected code\nFile: `nltk/jsontags.py`, lines 47–52\n```python\n@classmethod\ndef decode_obj(cls, obj):\n if isinstance(obj, dict):\n obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}\n elif isinstance(obj, list):\n obj = list(cls.decode_obj(val) for val in obj)\n```\n\n### Proof of Concept\n```python\nimport sys, json\nfrom nltk.jsontags import JSONTaggedDecoder\n\ndepth = sys.getrecursionlimit() + 50 # e.g. 1050\npayload = '{\"x\":' * depth + \"null\" + \"}\" * depth\n\n# Raises RecursionError, crashing the process\njson.loads(payload, cls=JSONTaggedDecoder)\n```\n\n### Impact\nAny code path that passes externally-supplied JSON to \n`JSONTaggedDecoder` is vulnerable to denial of service.\nThe severity depends on whether such a path exists in the \ncalling code (e.g. `nltk/data.py`).\n\n### Suggested Fix\nAdd a depth parameter with a hard limit:\n```python\n@classmethod\ndef decode_obj(cls, obj, _depth=0):\n if _depth > 100:\n raise ValueError(\"JSON nesting too deep\")\n if isinstance(obj, dict):\n obj = {key: cls.decode_obj(val, _depth + 1) \n for (key, val) in obj.items()}\n elif isinstance(obj, list):\n obj = list(cls.decode_obj(val, _depth + 1) for val in obj)\n```", "references": [ { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw" }, { "reference_url": "https://github.com/advisories/GHSA-rf74-v2fm-23pw", "reference_id": "GHSA-rf74-v2fm-23pw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rf74-v2fm-23pw" } ], "fixed_packages": [], "aliases": [ "GHSA-rf74-v2fm-23pw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8bp-rz92-53g8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35401?format=api", "vulnerability_id": "VCID-esfz-42mm-x3ad", "summary": "NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14751", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03163", "scoring_system": "epss", "scoring_elements": "0.87177", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.03163", "scoring_system": "epss", "scoring_elements": "0.87173", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.03222", "scoring_system": "epss", "scoring_elements": "0.87289", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03222", "scoring_system": "epss", "scoring_elements": "0.87308", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.03222", "scoring_system": "epss", "scoring_elements": "0.87311", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14751" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14751", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14751" }, { "reference_url": "https://github.com/advisories/GHSA-mr7p-25v2-35wr", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mr7p-25v2-35wr" }, { "reference_url": "https://github.com/mssalvatore/CVE-2019-14751_PoC", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/mssalvatore/CVE-2019-14751_PoC" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/blob/3.4.5/ChangeLog", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/blob/3.4.5/ChangeLog" }, { "reference_url": "https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2019-106.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2019-106.yaml" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/" }, { "reference_url": "https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751" }, { "reference_url": "https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935201", "reference_id": "935201", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935201" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14751", "reference_id": "CVE-2019-14751", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14751" }, { "reference_url": "https://usn.ubuntu.com/4106-1/", "reference_id": "USN-4106-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/4106-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/13972?format=api", "purl": "pkg:pypi/nltk@3.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n1s-amsg-83aa" }, { "vulnerability": "VCID-48uj-cw5e-mucw" }, { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-924g-fe71-9uhp" }, { "vulnerability": "VCID-94me-p193-vfb8" }, { "vulnerability": "VCID-ajve-q4uj-qffv" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" }, { "vulnerability": "VCID-muw6-dqdh-u3fb" }, { "vulnerability": "VCID-rkj9-d4q7-aqhv" }, { "vulnerability": "VCID-un8t-2sde-ekc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.4.5" } ], "aliases": [ "CVE-2019-14751", "GHSA-mr7p-25v2-35wr", "PYSEC-2019-106" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-esfz-42mm-x3ad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64751?format=api", "vulnerability_id": "VCID-g2jr-e9d2-qqgz", "summary": "nltk: NLTK: Script execution via reflected cross-site scripting in WordNet Browser", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33230", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05394", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.0545", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05433", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05434", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33230" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/" } ], "url": "https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f" }, { "reference_url": "https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/" } ], "url": "https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e" }, { "reference_url": "https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/" } ], "url": "https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33230", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33230" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457", "reference_id": "1131457", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449825", "reference_id": "2449825", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449825" }, { "reference_url": "https://github.com/advisories/GHSA-gfwx-w7gr-fvh7", "reference_id": "GHSA-gfwx-w7gr-fvh7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gfwx-w7gr-fvh7" }, { "reference_url": "https://usn.ubuntu.com/8302-1/", "reference_id": "USN-8302-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8302-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112851?format=api", "purl": "pkg:pypi/nltk@3.9.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4" } ], "aliases": [ "CVE-2026-33230", "GHSA-gfwx-w7gr-fvh7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g2jr-e9d2-qqgz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35936?format=api", "vulnerability_id": "VCID-muw6-dqdh-u3fb", "summary": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43854", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34429", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34506", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34542", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34526", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00144", "scoring_system": "epss", "scoring_elements": "0.34465", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43854" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341" }, { "reference_url": "https://github.com/nltk/nltk/issues/2866", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/issues/2866" }, { "reference_url": "https://github.com/nltk/nltk/pull/2869", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/pull/2869" }, { "reference_url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623", "reference_id": "1002623", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43854", "reference_id": "CVE-2021-43854", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43854" }, { "reference_url": "https://github.com/advisories/GHSA-f8m6-h2c7-8h9x", "reference_id": "GHSA-f8m6-h2c7-8h9x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f8m6-h2c7-8h9x" }, { "reference_url": "https://usn.ubuntu.com/7365-1/", "reference_id": "USN-7365-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7365-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/25912?format=api", "purl": "pkg:pypi/nltk@3.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n1s-amsg-83aa" }, { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-924g-fe71-9uhp" }, { "vulnerability": "VCID-94me-p193-vfb8" }, { "vulnerability": "VCID-ajve-q4uj-qffv" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" }, { "vulnerability": "VCID-muw6-dqdh-u3fb" }, { "vulnerability": "VCID-rkj9-d4q7-aqhv" }, { "vulnerability": "VCID-un8t-2sde-ekc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/26291?format=api", "purl": "pkg:pypi/nltk@3.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1n1s-amsg-83aa" }, { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-924g-fe71-9uhp" }, { "vulnerability": "VCID-94me-p193-vfb8" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" }, { "vulnerability": "VCID-rkj9-d4q7-aqhv" }, { "vulnerability": "VCID-un8t-2sde-ekc3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6" } ], "aliases": [ "CVE-2021-43854", "GHSA-f8m6-h2c7-8h9x", "PYSEC-2021-859" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-muw6-dqdh-u3fb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37231?format=api", "vulnerability_id": "VCID-rkj9-d4q7-aqhv", "summary": "A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0846", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25075", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25133", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25183", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00088", "scoring_system": "epss", "scoring_elements": "0.25196", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0846" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974" }, { "reference_url": "https://github.com/nltk/nltk/pull/3485", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk/pull/3485" }, { "reference_url": "https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T14:48:03Z/" } ], "url": "https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445826", "reference_id": "2445826", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445826" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0846", "reference_id": "CVE-2026-0846", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0846" }, { "reference_url": "https://github.com/advisories/GHSA-h8wq-7xc4-p3qx", "reference_id": "GHSA-h8wq-7xc4-p3qx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h8wq-7xc4-p3qx" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19712", "reference_id": "RHSA-2026:19712", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19712" }, { "reference_url": "https://usn.ubuntu.com/8302-1/", "reference_id": "USN-8302-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8302-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47638?format=api", "purl": "pkg:pypi/nltk@3.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3" } ], "aliases": [ "CVE-2026-0846", "GHSA-h8wq-7xc4-p3qx", "PYSEC-2026-97" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rkj9-d4q7-aqhv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37223?format=api", "vulnerability_id": "VCID-un8t-2sde-ekc3", "summary": "A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0847", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23584", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23647", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23631", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.2353", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-0847" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847" }, { "reference_url": "https://github.com/nltk/nltk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/nltk/nltk" }, { "reference_url": "https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:49:39Z/" } ], "url": "https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444608", "reference_id": "2444608", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444608" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0847", "reference_id": "CVE-2026-0847", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0847" }, { "reference_url": "https://github.com/advisories/GHSA-68j8-pq59-fqgm", "reference_id": "GHSA-68j8-pq59-fqgm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-68j8-pq59-fqgm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:19712", "reference_id": "RHSA-2026:19712", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:19712" }, { "reference_url": "https://usn.ubuntu.com/8302-1/", "reference_id": "USN-8302-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8302-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/47638?format=api", "purl": "pkg:pypi/nltk@3.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5skj-ygwz-73e6" }, { "vulnerability": "VCID-c8bp-rz92-53g8" }, { "vulnerability": "VCID-g2jr-e9d2-qqgz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3" } ], "aliases": [ "CVE-2026-0847", "GHSA-68j8-pq59-fqgm", "PYSEC-2026-98" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-un8t-2sde-ekc3" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.2.5" }