Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/nltk@3.4.5
Typepypi
Namespace
Namenltk
Version3.4.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.9.4
Latest_non_vulnerable_version3.9.4
Affected_by_vulnerabilities
0
url VCID-1n1s-amsg-83aa
vulnerability_id VCID-1n1s-amsg-83aa
summary NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-39705
reference_id
reference_type
scores
0
value 0.10792
scoring_system epss
scoring_elements 0.93494
published_at 2026-06-08T12:55:00Z
1
value 0.10792
scoring_system epss
scoring_elements 0.93497
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-39705
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705
2
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
3
reference_url https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
4
reference_url https://github.com/nltk/nltk/issues/2522
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/
url https://github.com/nltk/nltk/issues/2522
5
reference_url https://github.com/nltk/nltk/issues/3266
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/
url https://github.com/nltk/nltk/issues/3266
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
7
reference_url https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/
url https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423
reference_id 1074423
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39705
reference_id CVE-2024-39705
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39705
10
reference_url https://github.com/advisories/GHSA-cgvx-9447-vcch
reference_id GHSA-cgvx-9447-vcch
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cgvx-9447-vcch
fixed_packages
0
url pkg:pypi/nltk@3.9
purl pkg:pypi/nltk@3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5skj-ygwz-73e6
1
vulnerability VCID-924g-fe71-9uhp
2
vulnerability VCID-94me-p193-vfb8
3
vulnerability VCID-c8bp-rz92-53g8
4
vulnerability VCID-g2jr-e9d2-qqgz
5
vulnerability VCID-rkj9-d4q7-aqhv
6
vulnerability VCID-un8t-2sde-ekc3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9
aliases CVE-2024-39705, GHSA-cgvx-9447-vcch, PYSEC-2024-167
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1n1s-amsg-83aa
1
url VCID-48uj-cw5e-mucw
vulnerability_id VCID-48uj-cw5e-mucw
summary nltk is vulnerable to Inefficient Regular Expression Complexity
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-3828
reference_id
reference_type
scores
0
value 0.00433
scoring_system epss
scoring_elements 0.63112
published_at 2026-06-06T12:55:00Z
1
value 0.00433
scoring_system epss
scoring_elements 0.6306
published_at 2026-06-04T12:55:00Z
2
value 0.00433
scoring_system epss
scoring_elements 0.63089
published_at 2026-06-08T12:55:00Z
3
value 0.00433
scoring_system epss
scoring_elements 0.63102
published_at 2026-06-07T12:55:00Z
4
value 0.00433
scoring_system epss
scoring_elements 0.63104
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-3828
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828
2
reference_url https://github.com/advisories/GHSA-2ww3-fxvq-293j
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-2ww3-fxvq-293j
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6
5
reference_url https://github.com/nltk/nltk/pull/2816
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/pull/2816
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml
7
reference_url https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226
reference_id 995226
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226
9
reference_url https://security.archlinux.org/AVG-2423
reference_id AVG-2423
reference_type
scores
0
value Low
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2423
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3828
reference_id CVE-2021-3828
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-3828
11
reference_url https://usn.ubuntu.com/USN-5215-1/
reference_id USN-USN-5215-1
reference_type
scores
url https://usn.ubuntu.com/USN-5215-1/
fixed_packages
0
url pkg:pypi/nltk@3.6.4
purl pkg:pypi/nltk@3.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1n1s-amsg-83aa
1
vulnerability VCID-5skj-ygwz-73e6
2
vulnerability VCID-924g-fe71-9uhp
3
vulnerability VCID-94me-p193-vfb8
4
vulnerability VCID-ajve-q4uj-qffv
5
vulnerability VCID-c8bp-rz92-53g8
6
vulnerability VCID-g2jr-e9d2-qqgz
7
vulnerability VCID-muw6-dqdh-u3fb
8
vulnerability VCID-rkj9-d4q7-aqhv
9
vulnerability VCID-un8t-2sde-ekc3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.4
aliases CVE-2021-3828, GHSA-2ww3-fxvq-293j, PYSEC-2021-356
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-48uj-cw5e-mucw
2
url VCID-5skj-ygwz-73e6
vulnerability_id VCID-5skj-ygwz-73e6
summary nltk: NLTK: Denial of Service via unauthenticated remote shutdown
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33231
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05671
published_at 2026-06-08T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05727
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05713
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05714
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33231
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/
url https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b
5
reference_url https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/
url https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33231
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33231
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459
reference_id 1131459
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2449836
reference_id 2449836
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2449836
9
reference_url https://github.com/advisories/GHSA-jm6w-m3j8-898g
reference_id GHSA-jm6w-m3j8-898g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jm6w-m3j8-898g
10
reference_url https://access.redhat.com/errata/RHSA-2026:19712
reference_id RHSA-2026:19712
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:19712
11
reference_url https://usn.ubuntu.com/8302-1/
reference_id USN-8302-1
reference_type
scores
url https://usn.ubuntu.com/8302-1/
fixed_packages
0
url pkg:pypi/nltk@3.9.4
purl pkg:pypi/nltk@3.9.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4
aliases CVE-2026-33231, GHSA-jm6w-m3j8-898g
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5skj-ygwz-73e6
3
url VCID-924g-fe71-9uhp
vulnerability_id VCID-924g-fe71-9uhp
summary nltk: NLTK: Arbitrary file overwrite and creation via path traversal in XML index files
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33236
reference_id
reference_type
scores
0
value 0.00022
scoring_system epss
scoring_elements 0.06486
published_at 2026-06-08T12:55:00Z
1
value 0.00022
scoring_system epss
scoring_elements 0.0654
published_at 2026-06-05T12:55:00Z
2
value 0.00022
scoring_system epss
scoring_elements 0.06538
published_at 2026-06-06T12:55:00Z
3
value 0.00022
scoring_system epss
scoring_elements 0.06527
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33236
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/
url https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a
5
reference_url https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/
url https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33236
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33236
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460
reference_id 1131460
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2449824
reference_id 2449824
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2449824
9
reference_url https://github.com/advisories/GHSA-469j-vmhf-r6v7
reference_id GHSA-469j-vmhf-r6v7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-469j-vmhf-r6v7
10
reference_url https://access.redhat.com/errata/RHSA-2026:10184
reference_id RHSA-2026:10184
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10184
11
reference_url https://access.redhat.com/errata/RHSA-2026:19712
reference_id RHSA-2026:19712
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:19712
12
reference_url https://usn.ubuntu.com/8302-1/
reference_id USN-8302-1
reference_type
scores
url https://usn.ubuntu.com/8302-1/
fixed_packages
0
url pkg:pypi/nltk@3.9.3
purl pkg:pypi/nltk@3.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5skj-ygwz-73e6
1
vulnerability VCID-c8bp-rz92-53g8
2
vulnerability VCID-g2jr-e9d2-qqgz
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3
aliases CVE-2026-33236, GHSA-469j-vmhf-r6v7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-924g-fe71-9uhp
4
url VCID-94me-p193-vfb8
vulnerability_id VCID-94me-p193-vfb8
summary A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-14009
reference_id
reference_type
scores
0
value 0.00878
scoring_system epss
scoring_elements 0.7569
published_at 2026-06-08T12:55:00Z
1
value 0.00878
scoring_system epss
scoring_elements 0.75702
published_at 2026-06-07T12:55:00Z
2
value 0.00878
scoring_system epss
scoring_elements 0.75712
published_at 2026-06-06T12:55:00Z
3
value 0.00878
scoring_system epss
scoring_elements 0.75715
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-14009
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1
5
reference_url https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18
6
reference_url https://github.com/nltk/nltk/pull/3468
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/pull/3468
7
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml
8
reference_url https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-19T04:55:48Z/
url https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474
reference_id 1128474
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440724
reference_id 2440724
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440724
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-14009
reference_id CVE-2025-14009
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-14009
12
reference_url https://github.com/advisories/GHSA-7p94-766c-hgjp
reference_id GHSA-7p94-766c-hgjp
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7p94-766c-hgjp
13
reference_url https://access.redhat.com/errata/RHSA-2026:10184
reference_id RHSA-2026:10184
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10184
14
reference_url https://usn.ubuntu.com/8214-1/
reference_id USN-8214-1
reference_type
scores
url https://usn.ubuntu.com/8214-1/
fixed_packages
0
url pkg:pypi/nltk@3.9.3
purl pkg:pypi/nltk@3.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5skj-ygwz-73e6
1
vulnerability VCID-c8bp-rz92-53g8
2
vulnerability VCID-g2jr-e9d2-qqgz
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3
aliases CVE-2025-14009, GHSA-7p94-766c-hgjp, PYSEC-2026-96
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-94me-p193-vfb8
5
url VCID-ajve-q4uj-qffv
vulnerability_id VCID-ajve-q4uj-qffv
summary nltk is vulnerable to Inefficient Regular Expression Complexity
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-3842
reference_id
reference_type
scores
0
value 0.0017
scoring_system epss
scoring_elements 0.37977
published_at 2026-06-04T12:55:00Z
1
value 0.0017
scoring_system epss
scoring_elements 0.38041
published_at 2026-06-07T12:55:00Z
2
value 0.0017
scoring_system epss
scoring_elements 0.38071
published_at 2026-06-06T12:55:00Z
3
value 0.0017
scoring_system epss
scoring_elements 0.38068
published_at 2026-06-05T12:55:00Z
4
value 0.0017
scoring_system epss
scoring_elements 0.38007
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-3842
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842
2
reference_url https://github.com/advisories/GHSA-rqjh-jp2r-59cj
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rqjh-jp2r-59cj
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d
5
reference_url https://github.com/nltk/nltk/pull/2906
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/pull/2906
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml
7
reference_url https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142
reference_id 1003142
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3842
reference_id CVE-2021-3842
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-3842
10
reference_url https://usn.ubuntu.com/7365-1/
reference_id USN-7365-1
reference_type
scores
url https://usn.ubuntu.com/7365-1/
fixed_packages
0
url pkg:pypi/nltk@3.6.6
purl pkg:pypi/nltk@3.6.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1n1s-amsg-83aa
1
vulnerability VCID-5skj-ygwz-73e6
2
vulnerability VCID-924g-fe71-9uhp
3
vulnerability VCID-94me-p193-vfb8
4
vulnerability VCID-c8bp-rz92-53g8
5
vulnerability VCID-g2jr-e9d2-qqgz
6
vulnerability VCID-rkj9-d4q7-aqhv
7
vulnerability VCID-un8t-2sde-ekc3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6
aliases CVE-2021-3842, GHSA-rqjh-jp2r-59cj, PYSEC-2022-5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ajve-q4uj-qffv
6
url VCID-c8bp-rz92-53g8
vulnerability_id VCID-c8bp-rz92-53g8
summary 
Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS
### Summary
`JSONTaggedDecoder.decode_obj()` in `nltk/jsontags.py` calls itself 
recursively without any depth limit. A deeply nested JSON structure 
exceeding `sys.getrecursionlimit()` (default: 1000) will raise an 
unhandled `RecursionError`, crashing the Python process.

### Affected code
File: `nltk/jsontags.py`, lines 47–52
```python
@classmethod
def decode_obj(cls, obj):
    if isinstance(obj, dict):
        obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}
    elif isinstance(obj, list):
        obj = list(cls.decode_obj(val) for val in obj)
```

### Proof of Concept
```python
import sys, json
from nltk.jsontags import JSONTaggedDecoder

depth = sys.getrecursionlimit() + 50  # e.g. 1050
payload = '{"x":' * depth + "null" + "}" * depth

# Raises RecursionError, crashing the process
json.loads(payload, cls=JSONTaggedDecoder)
```

### Impact
Any code path that passes externally-supplied JSON to 
`JSONTaggedDecoder` is vulnerable to denial of service.
The severity depends on whether such a path exists in the 
calling code (e.g. `nltk/data.py`).

### Suggested Fix
Add a depth parameter with a hard limit:
```python
@classmethod
def decode_obj(cls, obj, _depth=0):
    if _depth > 100:
        raise ValueError("JSON nesting too deep")
    if isinstance(obj, dict):
        obj = {key: cls.decode_obj(val, _depth + 1) 
               for (key, val) in obj.items()}
    elif isinstance(obj, list):
        obj = list(cls.decode_obj(val, _depth + 1) for val in obj)
```
references
0
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
1
reference_url https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw
2
reference_url https://github.com/advisories/GHSA-rf74-v2fm-23pw
reference_id GHSA-rf74-v2fm-23pw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rf74-v2fm-23pw
fixed_packages
aliases GHSA-rf74-v2fm-23pw
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c8bp-rz92-53g8
7
url VCID-g2jr-e9d2-qqgz
vulnerability_id VCID-g2jr-e9d2-qqgz
summary nltk: NLTK: Script execution via reflected cross-site scripting in WordNet Browser
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33230
reference_id
reference_type
scores
0
value 0.00019
scoring_system epss
scoring_elements 0.05394
published_at 2026-06-08T12:55:00Z
1
value 0.00019
scoring_system epss
scoring_elements 0.0545
published_at 2026-06-05T12:55:00Z
2
value 0.00019
scoring_system epss
scoring_elements 0.05433
published_at 2026-06-06T12:55:00Z
3
value 0.00019
scoring_system epss
scoring_elements 0.05434
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33230
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/
url https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f
5
reference_url https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/
url https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e
6
reference_url https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/
url https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33230
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33230
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457
reference_id 1131457
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2449825
reference_id 2449825
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2449825
10
reference_url https://github.com/advisories/GHSA-gfwx-w7gr-fvh7
reference_id GHSA-gfwx-w7gr-fvh7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gfwx-w7gr-fvh7
11
reference_url https://usn.ubuntu.com/8302-1/
reference_id USN-8302-1
reference_type
scores
url https://usn.ubuntu.com/8302-1/
fixed_packages
0
url pkg:pypi/nltk@3.9.4
purl pkg:pypi/nltk@3.9.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4
aliases CVE-2026-33230, GHSA-gfwx-w7gr-fvh7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g2jr-e9d2-qqgz
8
url VCID-muw6-dqdh-u3fb
vulnerability_id VCID-muw6-dqdh-u3fb
summary NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-43854
reference_id
reference_type
scores
0
value 0.00144
scoring_system epss
scoring_elements 0.34429
published_at 2026-06-04T12:55:00Z
1
value 0.00144
scoring_system epss
scoring_elements 0.34506
published_at 2026-06-07T12:55:00Z
2
value 0.00144
scoring_system epss
scoring_elements 0.34542
published_at 2026-06-06T12:55:00Z
3
value 0.00144
scoring_system epss
scoring_elements 0.34526
published_at 2026-06-05T12:55:00Z
4
value 0.00144
scoring_system epss
scoring_elements 0.34465
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-43854
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854
2
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
3
reference_url https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341
4
reference_url https://github.com/nltk/nltk/issues/2866
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/issues/2866
5
reference_url https://github.com/nltk/nltk/pull/2869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/pull/2869
6
reference_url https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x
7
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623
reference_id 1002623
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43854
reference_id CVE-2021-43854
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-43854
10
reference_url https://github.com/advisories/GHSA-f8m6-h2c7-8h9x
reference_id GHSA-f8m6-h2c7-8h9x
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f8m6-h2c7-8h9x
11
reference_url https://usn.ubuntu.com/7365-1/
reference_id USN-7365-1
reference_type
scores
url https://usn.ubuntu.com/7365-1/
fixed_packages
0
url pkg:pypi/nltk@3.6.5
purl pkg:pypi/nltk@3.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1n1s-amsg-83aa
1
vulnerability VCID-5skj-ygwz-73e6
2
vulnerability VCID-924g-fe71-9uhp
3
vulnerability VCID-94me-p193-vfb8
4
vulnerability VCID-ajve-q4uj-qffv
5
vulnerability VCID-c8bp-rz92-53g8
6
vulnerability VCID-g2jr-e9d2-qqgz
7
vulnerability VCID-muw6-dqdh-u3fb
8
vulnerability VCID-rkj9-d4q7-aqhv
9
vulnerability VCID-un8t-2sde-ekc3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.5
1
url pkg:pypi/nltk@3.6.6
purl pkg:pypi/nltk@3.6.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1n1s-amsg-83aa
1
vulnerability VCID-5skj-ygwz-73e6
2
vulnerability VCID-924g-fe71-9uhp
3
vulnerability VCID-94me-p193-vfb8
4
vulnerability VCID-c8bp-rz92-53g8
5
vulnerability VCID-g2jr-e9d2-qqgz
6
vulnerability VCID-rkj9-d4q7-aqhv
7
vulnerability VCID-un8t-2sde-ekc3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6
aliases CVE-2021-43854, GHSA-f8m6-h2c7-8h9x, PYSEC-2021-859
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-muw6-dqdh-u3fb
9
url VCID-rkj9-d4q7-aqhv
vulnerability_id VCID-rkj9-d4q7-aqhv
summary A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-0846
reference_id
reference_type
scores
0
value 0.00088
scoring_system epss
scoring_elements 0.25075
published_at 2026-06-08T12:55:00Z
1
value 0.00088
scoring_system epss
scoring_elements 0.25133
published_at 2026-06-07T12:55:00Z
2
value 0.00088
scoring_system epss
scoring_elements 0.25183
published_at 2026-06-06T12:55:00Z
3
value 0.00088
scoring_system epss
scoring_elements 0.25196
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-0846
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974
5
reference_url https://github.com/nltk/nltk/pull/3485
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/pull/3485
6
reference_url https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T14:48:03Z/
url https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2445826
reference_id 2445826
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2445826
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-0846
reference_id CVE-2026-0846
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-0846
9
reference_url https://github.com/advisories/GHSA-h8wq-7xc4-p3qx
reference_id GHSA-h8wq-7xc4-p3qx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h8wq-7xc4-p3qx
10
reference_url https://access.redhat.com/errata/RHSA-2026:10184
reference_id RHSA-2026:10184
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10184
11
reference_url https://access.redhat.com/errata/RHSA-2026:19712
reference_id RHSA-2026:19712
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:19712
12
reference_url https://usn.ubuntu.com/8302-1/
reference_id USN-8302-1
reference_type
scores
url https://usn.ubuntu.com/8302-1/
fixed_packages
0
url pkg:pypi/nltk@3.9.3
purl pkg:pypi/nltk@3.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5skj-ygwz-73e6
1
vulnerability VCID-c8bp-rz92-53g8
2
vulnerability VCID-g2jr-e9d2-qqgz
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3
aliases CVE-2026-0846, GHSA-h8wq-7xc4-p3qx, PYSEC-2026-97
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rkj9-d4q7-aqhv
10
url VCID-un8t-2sde-ekc3
vulnerability_id VCID-un8t-2sde-ekc3
summary A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-0847
reference_id
reference_type
scores
0
value 0.0008
scoring_system epss
scoring_elements 0.23584
published_at 2026-06-07T12:55:00Z
1
value 0.0008
scoring_system epss
scoring_elements 0.23647
published_at 2026-06-05T12:55:00Z
2
value 0.0008
scoring_system epss
scoring_elements 0.23631
published_at 2026-06-06T12:55:00Z
3
value 0.0008
scoring_system epss
scoring_elements 0.2353
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-0847
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847
3
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
4
reference_url https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:49:39Z/
url https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2444608
reference_id 2444608
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2444608
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-0847
reference_id CVE-2026-0847
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-0847
7
reference_url https://github.com/advisories/GHSA-68j8-pq59-fqgm
reference_id GHSA-68j8-pq59-fqgm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-68j8-pq59-fqgm
8
reference_url https://access.redhat.com/errata/RHSA-2026:10184
reference_id RHSA-2026:10184
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10184
9
reference_url https://access.redhat.com/errata/RHSA-2026:19712
reference_id RHSA-2026:19712
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:19712
10
reference_url https://usn.ubuntu.com/8302-1/
reference_id USN-8302-1
reference_type
scores
url https://usn.ubuntu.com/8302-1/
fixed_packages
0
url pkg:pypi/nltk@3.9.3
purl pkg:pypi/nltk@3.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5skj-ygwz-73e6
1
vulnerability VCID-c8bp-rz92-53g8
2
vulnerability VCID-g2jr-e9d2-qqgz
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3
aliases CVE-2026-0847, GHSA-68j8-pq59-fqgm, PYSEC-2026-98
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-un8t-2sde-ekc3
Fixing_vulnerabilities
0
url VCID-dzjp-cy2g-gffk
vulnerability_id VCID-dzjp-cy2g-gffk
summary NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html
reference_id
reference_type
scores
url http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html
2
reference_url https://github.com/mssalvatore/CVE-2019-14751_PoC
reference_id
reference_type
scores
url https://github.com/mssalvatore/CVE-2019-14751_PoC
3
reference_url https://github.com/nltk/nltk/blob/3.4.5/ChangeLog
reference_id
reference_type
scores
url https://github.com/nltk/nltk/blob/3.4.5/ChangeLog
4
reference_url https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10
reference_id
reference_type
scores
url https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10
5
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/
7
reference_url https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/
reference_id
reference_type
scores
url https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/
fixed_packages
0
url pkg:pypi/nltk@3.4.5
purl pkg:pypi/nltk@3.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1n1s-amsg-83aa
1
vulnerability VCID-48uj-cw5e-mucw
2
vulnerability VCID-5skj-ygwz-73e6
3
vulnerability VCID-924g-fe71-9uhp
4
vulnerability VCID-94me-p193-vfb8
5
vulnerability VCID-ajve-q4uj-qffv
6
vulnerability VCID-c8bp-rz92-53g8
7
vulnerability VCID-g2jr-e9d2-qqgz
8
vulnerability VCID-muw6-dqdh-u3fb
9
vulnerability VCID-rkj9-d4q7-aqhv
10
vulnerability VCID-un8t-2sde-ekc3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.4.5
aliases PYSEC-2019-36
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dzjp-cy2g-gffk
1
url VCID-esfz-42mm-x3ad
vulnerability_id VCID-esfz-42mm-x3ad
summary NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-14751
reference_id
reference_type
scores
0
value 0.03163
scoring_system epss
scoring_elements 0.87177
published_at 2026-06-07T12:55:00Z
1
value 0.03163
scoring_system epss
scoring_elements 0.87173
published_at 2026-06-08T12:55:00Z
2
value 0.03222
scoring_system epss
scoring_elements 0.87289
published_at 2026-06-04T12:55:00Z
3
value 0.03222
scoring_system epss
scoring_elements 0.87308
published_at 2026-06-06T12:55:00Z
4
value 0.03222
scoring_system epss
scoring_elements 0.87311
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-14751
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14751
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14751
4
reference_url https://github.com/advisories/GHSA-mr7p-25v2-35wr
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-mr7p-25v2-35wr
5
reference_url https://github.com/mssalvatore/CVE-2019-14751_PoC
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mssalvatore/CVE-2019-14751_PoC
6
reference_url https://github.com/nltk/nltk
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk
7
reference_url https://github.com/nltk/nltk/blob/3.4.5/ChangeLog
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/blob/3.4.5/ChangeLog
8
reference_url https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10
9
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2019-106.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2019-106.yaml
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/
14
reference_url https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751
15
reference_url https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/
reference_id
reference_type
scores
url https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/
16
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935201
reference_id 935201
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935201
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-14751
reference_id CVE-2019-14751
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-14751
18
reference_url https://usn.ubuntu.com/4106-1/
reference_id USN-4106-1
reference_type
scores
url https://usn.ubuntu.com/4106-1/
fixed_packages
0
url pkg:pypi/nltk@3.4.5
purl pkg:pypi/nltk@3.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1n1s-amsg-83aa
1
vulnerability VCID-48uj-cw5e-mucw
2
vulnerability VCID-5skj-ygwz-73e6
3
vulnerability VCID-924g-fe71-9uhp
4
vulnerability VCID-94me-p193-vfb8
5
vulnerability VCID-ajve-q4uj-qffv
6
vulnerability VCID-c8bp-rz92-53g8
7
vulnerability VCID-g2jr-e9d2-qqgz
8
vulnerability VCID-muw6-dqdh-u3fb
9
vulnerability VCID-rkj9-d4q7-aqhv
10
vulnerability VCID-un8t-2sde-ekc3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.4.5
aliases CVE-2019-14751, GHSA-mr7p-25v2-35wr, PYSEC-2019-106
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-esfz-42mm-x3ad
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.4.5