{"url":"http://public2.vulnerablecode.io/api/packages/41797?format=json","purl":"pkg:pypi/nltk@3.9","type":"pypi","namespace":"","name":"nltk","version":"3.9","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.9.4","latest_non_vulnerable_version":"3.9.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64750?format=json","vulnerability_id":"VCID-5skj-ygwz-73e6","summary":"nltk: NLTK: Denial of Service via unauthenticated remote shutdown","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33231","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05671","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05727","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05713","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05714","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33231"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/"}],"url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459","reference_id":"1131459","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449836","reference_id":"2449836","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449836"},{"reference_url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g","reference_id":"GHSA-jm6w-m3j8-898g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112851?format=json","purl":"pkg:pypi/nltk@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4"}],"aliases":["CVE-2026-33231","GHSA-jm6w-m3j8-898g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5skj-ygwz-73e6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64749?format=json","vulnerability_id":"VCID-924g-fe71-9uhp","summary":"nltk: NLTK: Arbitrary file overwrite and creation via path traversal in XML index files","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33236","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06486","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0654","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06538","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06527","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33236"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/"}],"url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460","reference_id":"1131460","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449824","reference_id":"2449824","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449824"},{"reference_url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7","reference_id":"GHSA-469j-vmhf-r6v7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-33236","GHSA-469j-vmhf-r6v7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-924g-fe71-9uhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37215?format=json","vulnerability_id":"VCID-94me-p193-vfb8","summary":"A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14009","reference_id":"","reference_type":"","scores":[{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.7569","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.75702","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.75712","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.75715","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14009"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1"},{"reference_url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18"},{"reference_url":"https://github.com/nltk/nltk/pull/3468","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/3468"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml"},{"reference_url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-19T04:55:48Z/"}],"url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474","reference_id":"1128474","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440724","reference_id":"2440724","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440724"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009","reference_id":"CVE-2025-14009","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009"},{"reference_url":"https://github.com/advisories/GHSA-7p94-766c-hgjp","reference_id":"GHSA-7p94-766c-hgjp","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7p94-766c-hgjp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://usn.ubuntu.com/8214-1/","reference_id":"USN-8214-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8214-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2025-14009","GHSA-7p94-766c-hgjp","PYSEC-2026-96"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-94me-p193-vfb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91116?format=json","vulnerability_id":"VCID-c8bp-rz92-53g8","summary":"Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS\n### Summary\n`JSONTaggedDecoder.decode_obj()` in `nltk/jsontags.py` calls itself \nrecursively without any depth limit. A deeply nested JSON structure \nexceeding `sys.getrecursionlimit()` (default: 1000) will raise an \nunhandled `RecursionError`, crashing the Python process.\n\n### Affected code\nFile: `nltk/jsontags.py`, lines 47–52\n```python\n@classmethod\ndef decode_obj(cls, obj):\n    if isinstance(obj, dict):\n        obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}\n    elif isinstance(obj, list):\n        obj = list(cls.decode_obj(val) for val in obj)\n```\n\n### Proof of Concept\n```python\nimport sys, json\nfrom nltk.jsontags import JSONTaggedDecoder\n\ndepth = sys.getrecursionlimit() + 50  # e.g. 1050\npayload = '{\"x\":' * depth + \"null\" + \"}\" * depth\n\n# Raises RecursionError, crashing the process\njson.loads(payload, cls=JSONTaggedDecoder)\n```\n\n### Impact\nAny code path that passes externally-supplied JSON to \n`JSONTaggedDecoder` is vulnerable to denial of service.\nThe severity depends on whether such a path exists in the \ncalling code (e.g. `nltk/data.py`).\n\n### Suggested Fix\nAdd a depth parameter with a hard limit:\n```python\n@classmethod\ndef decode_obj(cls, obj, _depth=0):\n    if _depth > 100:\n        raise ValueError(\"JSON nesting too deep\")\n    if isinstance(obj, dict):\n        obj = {key: cls.decode_obj(val, _depth + 1) \n               for (key, val) in obj.items()}\n    elif isinstance(obj, list):\n        obj = list(cls.decode_obj(val, _depth + 1) for val in obj)\n```","references":[{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw"},{"reference_url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw","reference_id":"GHSA-rf74-v2fm-23pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw"}],"fixed_packages":[],"aliases":["GHSA-rf74-v2fm-23pw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c8bp-rz92-53g8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64751?format=json","vulnerability_id":"VCID-g2jr-e9d2-qqgz","summary":"nltk: NLTK: Script execution via reflected cross-site scripting in WordNet Browser","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33230","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05394","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.0545","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05433","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05434","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33230"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f"},{"reference_url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457","reference_id":"1131457","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449825","reference_id":"2449825","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449825"},{"reference_url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7","reference_id":"GHSA-gfwx-w7gr-fvh7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112851?format=json","purl":"pkg:pypi/nltk@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4"}],"aliases":["CVE-2026-33230","GHSA-gfwx-w7gr-fvh7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g2jr-e9d2-qqgz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37231?format=json","vulnerability_id":"VCID-rkj9-d4q7-aqhv","summary":"A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0846","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25075","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25196","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25183","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25133","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0846"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"},{"reference_url":"https://github.com/nltk/nltk/pull/3485","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/3485"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-97.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-97.yaml"},{"reference_url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T14:48:03Z/"}],"url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445826","reference_id":"2445826","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445826"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846","reference_id":"CVE-2026-0846","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846"},{"reference_url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx","reference_id":"GHSA-h8wq-7xc4-p3qx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-0846","GHSA-h8wq-7xc4-p3qx","PYSEC-2026-97"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkj9-d4q7-aqhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37223?format=json","vulnerability_id":"VCID-un8t-2sde-ekc3","summary":"A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0847","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.2353","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23647","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23631","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23584","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0847"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-98.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-98.yaml"},{"reference_url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:49:39Z/"}],"url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2444608","reference_id":"2444608","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2444608"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847","reference_id":"CVE-2026-0847","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847"},{"reference_url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm","reference_id":"GHSA-68j8-pq59-fqgm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47638?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-0847","GHSA-68j8-pq59-fqgm","PYSEC-2026-98"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-un8t-2sde-ekc3"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36821?format=json","vulnerability_id":"VCID-1n1s-amsg-83aa","summary":"NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39705","reference_id":"","reference_type":"","scores":[{"value":"0.10792","scoring_system":"epss","scoring_elements":"0.93494","published_at":"2026-06-08T12:55:00Z"},{"value":"0.10792","scoring_system":"epss","scoring_elements":"0.93497","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39705"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2"},{"reference_url":"https://github.com/nltk/nltk/issues/2522","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://github.com/nltk/nltk/issues/2522"},{"reference_url":"https://github.com/nltk/nltk/issues/3266","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://github.com/nltk/nltk/issues/3266"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml"},{"reference_url":"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423","reference_id":"1074423","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39705","reference_id":"CVE-2024-39705","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39705"},{"reference_url":"https://github.com/advisories/GHSA-cgvx-9447-vcch","reference_id":"GHSA-cgvx-9447-vcch","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgvx-9447-vcch"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41797?format=json","purl":"pkg:pypi/nltk@3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5skj-ygwz-73e6"},{"vulnerability":"VCID-924g-fe71-9uhp"},{"vulnerability":"VCID-94me-p193-vfb8"},{"vulnerability":"VCID-c8bp-rz92-53g8"},{"vulnerability":"VCID-g2jr-e9d2-qqgz"},{"vulnerability":"VCID-rkj9-d4q7-aqhv"},{"vulnerability":"VCID-un8t-2sde-ekc3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9"}],"aliases":["CVE-2024-39705","GHSA-cgvx-9447-vcch","PYSEC-2024-167"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1n1s-amsg-83aa"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9"}