{"url":"http://public2.vulnerablecode.io/api/packages/13972?format=json","purl":"pkg:pypi/nltk@3.4.5","type":"pypi","namespace":"","name":"nltk","version":"3.4.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.9.4","latest_non_vulnerable_version":"3.9.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36821?format=json","vulnerability_id":"VCID-1n1s-amsg-83aa","summary":"NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39705","reference_id":"","reference_type":"","scores":[{"value":"0.10792","scoring_system":"epss","scoring_elements":"0.93494","published_at":"2026-06-08T12:55:00Z"},{"value":"0.10792","scoring_system":"epss","scoring_elements":"0.93497","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39705"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2"},{"reference_url":"https://github.com/nltk/nltk/issues/2522","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://github.com/nltk/nltk/issues/2522"},{"reference_url":"https://github.com/nltk/nltk/issues/3266","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://github.com/nltk/nltk/issues/3266"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml"},{"reference_url":"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423","reference_id":"1074423","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39705","reference_id":"CVE-2024-39705","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39705"},{"reference_url":"https://github.com/advisories/GHSA-cgvx-9447-vcch","reference_id":"GHSA-cgvx-9447-vcch","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgvx-9447-vcch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41797?format=json","purl":"pkg:pypi/nltk@3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9"}],"aliases":["CVE-2024-39705","GHSA-cgvx-9447-vcch","PYSEC-2024-167"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1n1s-amsg-83aa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35876?format=json","vulnerability_id":"VCID-48uj-cw5e-mucw","summary":"nltk is vulnerable to Inefficient Regular Expression Complexity","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3828","reference_id":"","reference_type":"","scores":[{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63112","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.6306","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63089","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63102","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63104","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3828"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828"},{"reference_url":"https://github.com/advisories/GHSA-2ww3-fxvq-293j","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2ww3-fxvq-293j"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6"},{"reference_url":"https://github.com/nltk/nltk/pull/2816","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/2816"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml"},{"reference_url":"https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226","reference_id":"995226","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226"},{"reference_url":"https://security.archlinux.org/AVG-2423","reference_id":"AVG-2423","reference_type":"","scores":[{"value":"Low","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2423"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3828","reference_id":"CVE-2021-3828","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3828"},{"reference_url":"https://usn.ubuntu.com/USN-5215-1/","reference_id":"USN-USN-5215-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-5215-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23632?format=json","purl":"pkg:pypi/nltk@3.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1n1s-amsg-83aa"},{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-ajve-q4uj-qffv"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-muw6-dqdh-u3fb"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.4"}],"aliases":["CVE-2021-3828","GHSA-2ww3-fxvq-293j","PYSEC-2021-356"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-48uj-cw5e-mucw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64750?format=json","vulnerability_id":"VCID-5skj-ygwz-73e6","summary":"nltk: NLTK: Denial of Service via unauthenticated remote shutdown","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33231","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05671","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05727","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05713","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05714","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33231"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/"}],"url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459","reference_id":"1131459","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449836","reference_id":"2449836","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449836"},{"reference_url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g","reference_id":"GHSA-jm6w-m3j8-898g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112851?format=json","purl":"pkg:pypi/nltk@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4"}],"aliases":["CVE-2026-33231","GHSA-jm6w-m3j8-898g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5skj-ygwz-73e6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64749?format=json","vulnerability_id":"VCID-924g-fe71-9uhp","summary":"nltk: NLTK: Arbitrary file overwrite and creation via path traversal in XML index files","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33236","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06486","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0654","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06538","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06527","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33236"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/"}],"url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460","reference_id":"1131460","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449824","reference_id":"2449824","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449824"},{"reference_url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7","reference_id":"GHSA-469j-vmhf-r6v7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-33236","GHSA-469j-vmhf-r6v7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-924g-fe71-9uhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37215?format=json","vulnerability_id":"VCID-94me-p193-vfb8","summary":"A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14009","reference_id":"","reference_type":"","scores":[{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.7569","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.75702","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.75712","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.75715","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14009"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1"},{"reference_url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18"},{"reference_url":"https://github.com/nltk/nltk/pull/3468","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/3468"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml"},{"reference_url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-19T04:55:48Z/"}],"url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474","reference_id":"1128474","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440724","reference_id":"2440724","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440724"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009","reference_id":"CVE-2025-14009","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009"},{"reference_url":"https://github.com/advisories/GHSA-7p94-766c-hgjp","reference_id":"GHSA-7p94-766c-hgjp","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7p94-766c-hgjp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://usn.ubuntu.com/8214-1/","reference_id":"USN-8214-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8214-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2025-14009","GHSA-7p94-766c-hgjp","PYSEC-2026-96"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-94me-p193-vfb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35945?format=json","vulnerability_id":"VCID-ajve-q4uj-qffv","summary":"nltk is vulnerable to Inefficient Regular Expression Complexity","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3842","reference_id":"","reference_type":"","scores":[{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.37977","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38041","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38071","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38068","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.38007","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3842"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842"},{"reference_url":"https://github.com/advisories/GHSA-rqjh-jp2r-59cj","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rqjh-jp2r-59cj"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d"},{"reference_url":"https://github.com/nltk/nltk/pull/2906","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/2906"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml"},{"reference_url":"https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142","reference_id":"1003142","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3842","reference_id":"CVE-2021-3842","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3842"},{"reference_url":"https://usn.ubuntu.com/7365-1/","reference_id":"USN-7365-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7365-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26291?format=json","purl":"pkg:pypi/nltk@3.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1n1s-amsg-83aa"},{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6"}],"aliases":["CVE-2021-3842","GHSA-rqjh-jp2r-59cj","PYSEC-2022-5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ajve-q4uj-qffv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91116?format=json","vulnerability_id":"VCID-c8bp-rz92-53g8","summary":"Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS\n### Summary\n`JSONTaggedDecoder.decode_obj()` in `nltk/jsontags.py` calls itself \nrecursively without any depth limit. A deeply nested JSON structure \nexceeding `sys.getrecursionlimit()` (default: 1000) will raise an \nunhandled `RecursionError`, crashing the Python process.\n\n### Affected code\nFile: `nltk/jsontags.py`, lines 47–52\n```python\n@classmethod\ndef decode_obj(cls, obj):\n    if isinstance(obj, dict):\n        obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}\n    elif isinstance(obj, list):\n        obj = list(cls.decode_obj(val) for val in obj)\n```\n\n### Proof of Concept\n```python\nimport sys, json\nfrom nltk.jsontags import JSONTaggedDecoder\n\ndepth = sys.getrecursionlimit() + 50  # e.g. 1050\npayload = '{\"x\":' * depth + \"null\" + \"}\" * depth\n\n# Raises RecursionError, crashing the process\njson.loads(payload, cls=JSONTaggedDecoder)\n```\n\n### Impact\nAny code path that passes externally-supplied JSON to \n`JSONTaggedDecoder` is vulnerable to denial of service.\nThe severity depends on whether such a path exists in the \ncalling code (e.g. `nltk/data.py`).\n\n### Suggested Fix\nAdd a depth parameter with a hard limit:\n```python\n@classmethod\ndef decode_obj(cls, obj, _depth=0):\n    if _depth > 100:\n        raise ValueError(\"JSON nesting too deep\")\n    if isinstance(obj, dict):\n        obj = {key: cls.decode_obj(val, _depth + 1) \n               for (key, val) in obj.items()}\n    elif isinstance(obj, list):\n        obj = list(cls.decode_obj(val, _depth + 1) for val in obj)\n```","references":[{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw"},{"reference_url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw","reference_id":"GHSA-rf74-v2fm-23pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw"}],"fixed_packages":[],"aliases":["GHSA-rf74-v2fm-23pw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c8bp-rz92-53g8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64751?format=json","vulnerability_id":"VCID-g2jr-e9d2-qqgz","summary":"nltk: NLTK: Script execution via reflected cross-site scripting in WordNet Browser","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33230","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05394","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.0545","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05433","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05434","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33230"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f"},{"reference_url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457","reference_id":"1131457","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449825","reference_id":"2449825","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449825"},{"reference_url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7","reference_id":"GHSA-gfwx-w7gr-fvh7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112851?format=json","purl":"pkg:pypi/nltk@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4"}],"aliases":["CVE-2026-33230","GHSA-gfwx-w7gr-fvh7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g2jr-e9d2-qqgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35936?format=json","vulnerability_id":"VCID-muw6-dqdh-u3fb","summary":"NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43854","reference_id":"","reference_type":"","scores":[{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34429","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34506","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34542","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34526","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34465","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43854"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"},{"reference_url":"https://github.com/nltk/nltk/issues/2866","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/issues/2866"},{"reference_url":"https://github.com/nltk/nltk/pull/2869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/2869"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623","reference_id":"1002623","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43854","reference_id":"CVE-2021-43854","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43854"},{"reference_url":"https://github.com/advisories/GHSA-f8m6-h2c7-8h9x","reference_id":"GHSA-f8m6-h2c7-8h9x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8m6-h2c7-8h9x"},{"reference_url":"https://usn.ubuntu.com/7365-1/","reference_id":"USN-7365-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7365-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25912?format=json","purl":"pkg:pypi/nltk@3.6.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1n1s-amsg-83aa"},{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-ajve-q4uj-qffv"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-muw6-dqdh-u3fb"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.5"},{"url":"http://public2.vulnerablecode.io/api/packages/26291?format=json","purl":"pkg:pypi/nltk@3.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1n1s-amsg-83aa"},{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6"}],"aliases":["CVE-2021-43854","GHSA-f8m6-h2c7-8h9x","PYSEC-2021-859"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-muw6-dqdh-u3fb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37231?format=json","vulnerability_id":"VCID-rkj9-d4q7-aqhv","summary":"A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0846","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25075","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25133","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25183","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25196","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0846"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"},{"reference_url":"https://github.com/nltk/nltk/pull/3485","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/3485"},{"reference_url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T14:48:03Z/"}],"url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445826","reference_id":"2445826","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445826"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846","reference_id":"CVE-2026-0846","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846"},{"reference_url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx","reference_id":"GHSA-h8wq-7xc4-p3qx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-0846","GHSA-h8wq-7xc4-p3qx","PYSEC-2026-97"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkj9-d4q7-aqhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37223?format=json","vulnerability_id":"VCID-un8t-2sde-ekc3","summary":"A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0847","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23584","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23647","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23631","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.2353","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0847"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:49:39Z/"}],"url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2444608","reference_id":"2444608","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2444608"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847","reference_id":"CVE-2026-0847","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847"},{"reference_url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm","reference_id":"GHSA-68j8-pq59-fqgm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-0847","GHSA-68j8-pq59-fqgm","PYSEC-2026-98"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-un8t-2sde-ekc3"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/275838?format=json","vulnerability_id":"VCID-dzjp-cy2g-gffk","summary":"NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html","reference_id":"","reference_type":"","scores":[],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html"},{"reference_url":"https://github.com/mssalvatore/CVE-2019-14751_PoC","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/mssalvatore/CVE-2019-14751_PoC"},{"reference_url":"https://github.com/nltk/nltk/blob/3.4.5/ChangeLog","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nltk/nltk/blob/3.4.5/ChangeLog"},{"reference_url":"https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/"},{"reference_url":"https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/","reference_id":"","reference_type":"","scores":[],"url":"https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13972?format=json","purl":"pkg:pypi/nltk@3.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1n1s-amsg-83aa"},{"vulnerability":"VCID-48uj-cw5e-mucw"},{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-ajve-q4uj-qffv"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-muw6-dqdh-u3fb"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.4.5"}],"aliases":["PYSEC-2019-36"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dzjp-cy2g-gffk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35401?format=json","vulnerability_id":"VCID-esfz-42mm-x3ad","summary":"NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-14751","reference_id":"","reference_type":"","scores":[{"value":"0.03163","scoring_system":"epss","scoring_elements":"0.87177","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03163","scoring_system":"epss","scoring_elements":"0.87173","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03222","scoring_system":"epss","scoring_elements":"0.87289","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03222","scoring_system":"epss","scoring_elements":"0.87308","published_at":"2026-06-06T12:55:00Z"},{"value":"0.03222","scoring_system":"epss","scoring_elements":"0.87311","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-14751"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14751","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14751"},{"reference_url":"https://github.com/advisories/GHSA-mr7p-25v2-35wr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mr7p-25v2-35wr"},{"reference_url":"https://github.com/mssalvatore/CVE-2019-14751_PoC","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mssalvatore/CVE-2019-14751_PoC"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/blob/3.4.5/ChangeLog","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/blob/3.4.5/ChangeLog"},{"reference_url":"https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2019-106.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2019-106.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/"},{"reference_url":"https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751"},{"reference_url":"https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/","reference_id":"","reference_type":"","scores":[],"url":"https://salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935201","reference_id":"935201","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935201"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14751","reference_id":"CVE-2019-14751","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14751"},{"reference_url":"https://usn.ubuntu.com/4106-1/","reference_id":"USN-4106-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4106-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/13972?format=json","purl":"pkg:pypi/nltk@3.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1n1s-amsg-83aa"},{"vulnerability":"VCID-48uj-cw5e-mucw"},{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-ajve-q4uj-qffv"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-muw6-dqdh-u3fb"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.4.5"}],"aliases":["CVE-2019-14751","GHSA-mr7p-25v2-35wr","PYSEC-2019-106"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-esfz-42mm-x3ad"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.4.5"}