{"url":"http://public2.vulnerablecode.io/api/packages/517765?format=json","purl":"pkg:pypi/nltk@3.6.1","type":"pypi","namespace":"","name":"nltk","version":"3.6.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.9.4","latest_non_vulnerable_version":"3.9.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78290?format=json","vulnerability_id":"VCID-8gac-u2vb-qkcq","summary":"NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33230.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33230","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.0549","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33230"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33230"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457","reference_id":"1131457","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131457"},{"reference_url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f","reference_id":"1c3f799607eeb088cab2491dcf806ae83c29ad8f","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449825","reference_id":"2449825","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449825"},{"reference_url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e","reference_id":"40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e"},{"reference_url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7","reference_id":"GHSA-gfwx-w7gr-fvh7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfwx-w7gr-fvh7"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7","reference_id":"GHSA-gfwx-w7gr-fvh7","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T02:06:58Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374653?format=json","purl":"pkg:pypi/nltk@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4"}],"aliases":["CVE-2026-33230","GHSA-gfwx-w7gr-fvh7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8gac-u2vb-qkcq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46917?format=json","vulnerability_id":"VCID-9z4z-ntd4-j3g1","summary":"NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39705","reference_id":"","reference_type":"","scores":[{"value":"0.10792","scoring_system":"epss","scoring_elements":"0.93517","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39705"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423","reference_id":"1074423","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423"},{"reference_url":"https://github.com/nltk/nltk/issues/2522","reference_id":"2522","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://github.com/nltk/nltk/issues/2522"},{"reference_url":"https://github.com/nltk/nltk/issues/3266","reference_id":"3266","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://github.com/nltk/nltk/issues/3266"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39705","reference_id":"CVE-2024-39705","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39705"},{"reference_url":"https://github.com/advisories/GHSA-cgvx-9447-vcch","reference_id":"GHSA-cgvx-9447-vcch","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cgvx-9447-vcch"},{"reference_url":"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706","reference_id":"rce-in-python-nltk-cve-2024-39705-39706","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/"}],"url":"https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32320?format=json","purl":"pkg:pypi/nltk@3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-c8kx-p4f2-1fck"},{"vulnerability":"VCID-ebeb-dyr8-9fb1"},{"vulnerability":"VCID-gg3u-72s3-tkfh"},{"vulnerability":"VCID-stbm-19e9-8khz"},{"vulnerability":"VCID-yjax-vd1r-zua8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9"}],"aliases":["CVE-2024-39705","GHSA-cgvx-9447-vcch","PYSEC-2024-167"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9z4z-ntd4-j3g1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360071?format=json","vulnerability_id":"VCID-aydp-euhu-3bgh","summary":"Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS\n### Summary\n`JSONTaggedDecoder.decode_obj()` in `nltk/jsontags.py` calls itself \nrecursively without any depth limit. A deeply nested JSON structure \nexceeding `sys.getrecursionlimit()` (default: 1000) will raise an \nunhandled `RecursionError`, crashing the Python process.\n\n### Affected code\nFile: `nltk/jsontags.py`, lines 47–52\n```python\n@classmethod\ndef decode_obj(cls, obj):\n    if isinstance(obj, dict):\n        obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}\n    elif isinstance(obj, list):\n        obj = list(cls.decode_obj(val) for val in obj)\n```\n\n### Proof of Concept\n```python\nimport sys, json\nfrom nltk.jsontags import JSONTaggedDecoder\n\ndepth = sys.getrecursionlimit() + 50  # e.g. 1050\npayload = '{\"x\":' * depth + \"null\" + \"}\" * depth\n\n# Raises RecursionError, crashing the process\njson.loads(payload, cls=JSONTaggedDecoder)\n```\n\n### Impact\nAny code path that passes externally-supplied JSON to \n`JSONTaggedDecoder` is vulnerable to denial of service.\nThe severity depends on whether such a path exists in the \ncalling code (e.g. `nltk/data.py`).\n\n### Suggested Fix\nAdd a depth parameter with a hard limit:\n```python\n@classmethod\ndef decode_obj(cls, obj, _depth=0):\n    if _depth > 100:\n        raise ValueError(\"JSON nesting too deep\")\n    if isinstance(obj, dict):\n        obj = {key: cls.decode_obj(val, _depth + 1) \n               for (key, val) in obj.items()}\n    elif isinstance(obj, list):\n        obj = list(cls.decode_obj(val, _depth + 1) for val in obj)\n```","references":[{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-rf74-v2fm-23pw"},{"reference_url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw","reference_id":"GHSA-rf74-v2fm-23pw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rf74-v2fm-23pw"}],"fixed_packages":[],"aliases":["GHSA-rf74-v2fm-23pw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aydp-euhu-3bgh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78331?format=json","vulnerability_id":"VCID-c8kx-p4f2-1fck","summary":"NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33236.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33236","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0652","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33236"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33236"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33236"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460","reference_id":"1131460","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131460"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449824","reference_id":"2449824","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449824"},{"reference_url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a","reference_id":"89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/"}],"url":"https://github.com/nltk/nltk/commit/89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a"},{"reference_url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7","reference_id":"GHSA-469j-vmhf-r6v7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-469j-vmhf-r6v7"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7","reference_id":"GHSA-469j-vmhf-r6v7","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:46:32Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-469j-vmhf-r6v7"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39356?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-stbm-19e9-8khz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-33236","GHSA-469j-vmhf-r6v7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c8kx-p4f2-1fck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81582?format=json","vulnerability_id":"VCID-ebeb-dyr8-9fb1","summary":"A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0847.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0847","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23572","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0847"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0847"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-98.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-98.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2444608","reference_id":"2444608","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2444608"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847","reference_id":"CVE-2026-0847","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0847"},{"reference_url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966","reference_id":"fc69914f-36a9-4c18-8503-10013b39f966","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-04T18:49:39Z/"}],"url":"https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966"},{"reference_url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm","reference_id":"GHSA-68j8-pq59-fqgm","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-68j8-pq59-fqgm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39356?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-stbm-19e9-8khz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-0847","GHSA-68j8-pq59-fqgm","PYSEC-2026-98"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ebeb-dyr8-9fb1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/99408?format=json","vulnerability_id":"VCID-gg3u-72s3-tkfh","summary":"A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-14009.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14009","reference_id":"","reference_type":"","scores":[{"value":"0.00878","scoring_system":"epss","scoring_elements":"0.75762","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-14009"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14009"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1"},{"reference_url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18"},{"reference_url":"https://github.com/nltk/nltk/pull/3468","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/3468"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-96.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474","reference_id":"1128474","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128474"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440724","reference_id":"2440724","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440724"},{"reference_url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4","reference_id":"49ecbc02-054e-4470-b2e0-b267936cc4e4","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-19T04:55:48Z/"}],"url":"https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009","reference_id":"CVE-2025-14009","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14009"},{"reference_url":"https://github.com/advisories/GHSA-7p94-766c-hgjp","reference_id":"GHSA-7p94-766c-hgjp","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7p94-766c-hgjp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://usn.ubuntu.com/8214-1/","reference_id":"USN-8214-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8214-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39356?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-stbm-19e9-8khz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2025-14009","GHSA-7p94-766c-hgjp","PYSEC-2026-96"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gg3u-72s3-tkfh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/197816?format=json","vulnerability_id":"VCID-h8dd-9um6-b3f7","summary":"denial of service","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3828","reference_id":"","reference_type":"","scores":[{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.6317","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3828"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3828"},{"reference_url":"https://github.com/advisories/GHSA-2ww3-fxvq-293j","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2ww3-fxvq-293j"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6"},{"reference_url":"https://github.com/nltk/nltk/pull/2816","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/2816"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml"},{"reference_url":"https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3828","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3828"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226","reference_id":"995226","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995226"},{"reference_url":"https://security.archlinux.org/AVG-2423","reference_id":"AVG-2423","reference_type":"","scores":[{"value":"Low","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2423"},{"reference_url":"https://usn.ubuntu.com/USN-5215-1/","reference_id":"USN-USN-5215-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-5215-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66247?format=json","purl":"pkg:pypi/nltk@3.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-9z4z-ntd4-j3g1"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-c8kx-p4f2-1fck"},{"vulnerability":"VCID-ebeb-dyr8-9fb1"},{"vulnerability":"VCID-gg3u-72s3-tkfh"},{"vulnerability":"VCID-stbm-19e9-8khz"},{"vulnerability":"VCID-ty4s-3zke-nka1"},{"vulnerability":"VCID-yjax-vd1r-zua8"},{"vulnerability":"VCID-zgsu-4k3d-93h2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.4"}],"aliases":["CVE-2021-3828","GHSA-2ww3-fxvq-293j","PYSEC-2021-356"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h8dd-9um6-b3f7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78194?format=json","vulnerability_id":"VCID-stbm-19e9-8khz","summary":"NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. Commit bbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33231.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33231","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05759","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33231"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33231"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459","reference_id":"1131459","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131459"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449836","reference_id":"2449836","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2449836"},{"reference_url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b","reference_id":"bbaae83db86a0f49e00f5b0db44a7254c268de9b","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/"}],"url":"https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b"},{"reference_url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g","reference_id":"GHSA-jm6w-m3j8-898g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jm6w-m3j8-898g"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g","reference_id":"GHSA-jm6w-m3j8-898g","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:43:39Z/"}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:24977","reference_id":"RHSA-2026:24977","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:24977"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374653?format=json","purl":"pkg:pypi/nltk@3.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.4"}],"aliases":["CVE-2026-33231","GHSA-jm6w-m3j8-898g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-stbm-19e9-8khz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207235?format=json","vulnerability_id":"VCID-ty4s-3zke-nka1","summary":"NLTK Vulnerable to REDoS","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3842","reference_id":"","reference_type":"","scores":[{"value":"0.0017","scoring_system":"epss","scoring_elements":"0.3807","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3842"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3842"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d"},{"reference_url":"https://github.com/nltk/nltk/pull/2906","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/2906"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml"},{"reference_url":"https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142","reference_id":"1003142","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003142"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3842","reference_id":"CVE-2021-3842","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3842"},{"reference_url":"https://github.com/advisories/GHSA-rqjh-jp2r-59cj","reference_id":"GHSA-rqjh-jp2r-59cj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rqjh-jp2r-59cj"},{"reference_url":"https://usn.ubuntu.com/7365-1/","reference_id":"USN-7365-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7365-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18423?format=json","purl":"pkg:pypi/nltk@3.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-9z4z-ntd4-j3g1"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-c8kx-p4f2-1fck"},{"vulnerability":"VCID-ebeb-dyr8-9fb1"},{"vulnerability":"VCID-gg3u-72s3-tkfh"},{"vulnerability":"VCID-stbm-19e9-8khz"},{"vulnerability":"VCID-yjax-vd1r-zua8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6"}],"aliases":["CVE-2021-3842","GHSA-rqjh-jp2r-59cj","PYSEC-2022-5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ty4s-3zke-nka1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81947?format=json","vulnerability_id":"VCID-yjax-vd1r-zua8","summary":"A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0846.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0846","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25121","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-0846"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-0846"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"},{"reference_url":"https://github.com/nltk/nltk/pull/3485","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/3485"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-97.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2026-97.yaml"},{"reference_url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb","reference_id":"007b84f8-418e-4300-99d0-bf504c2f97eb","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-12T14:48:03Z/"}],"url":"https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445826","reference_id":"2445826","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445826"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846","reference_id":"CVE-2026-0846","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0846"},{"reference_url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx","reference_id":"GHSA-h8wq-7xc4-p3qx","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h8wq-7xc4-p3qx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:19712","reference_id":"RHSA-2026:19712","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"reference_url":"https://usn.ubuntu.com/8302-1/","reference_id":"USN-8302-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8302-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39356?format=json","purl":"pkg:pypi/nltk@3.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-stbm-19e9-8khz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.9.3"}],"aliases":["CVE-2026-0846","GHSA-h8wq-7xc4-p3qx","PYSEC-2026-97"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yjax-vd1r-zua8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207048?format=json","vulnerability_id":"VCID-zgsu-4k3d-93h2","summary":"Inefficient Regular Expression Complexity in nltk (word_tokenize, sent_tokenize)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43854","reference_id":"","reference_type":"","scores":[{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.3453","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43854"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43854"},{"reference_url":"https://github.com/nltk/nltk","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk"},{"reference_url":"https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341"},{"reference_url":"https://github.com/nltk/nltk/issues/2866","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/issues/2866"},{"reference_url":"https://github.com/nltk/nltk/pull/2869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/pull/2869"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-859.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623","reference_id":"1002623","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002623"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43854","reference_id":"CVE-2021-43854","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43854"},{"reference_url":"https://github.com/advisories/GHSA-f8m6-h2c7-8h9x","reference_id":"GHSA-f8m6-h2c7-8h9x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8m6-h2c7-8h9x"},{"reference_url":"https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x","reference_id":"GHSA-f8m6-h2c7-8h9x","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x"},{"reference_url":"https://usn.ubuntu.com/7365-1/","reference_id":"USN-7365-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7365-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68448?format=json","purl":"pkg:pypi/nltk@3.6.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-9z4z-ntd4-j3g1"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-c8kx-p4f2-1fck"},{"vulnerability":"VCID-ebeb-dyr8-9fb1"},{"vulnerability":"VCID-gg3u-72s3-tkfh"},{"vulnerability":"VCID-stbm-19e9-8khz"},{"vulnerability":"VCID-ty4s-3zke-nka1"},{"vulnerability":"VCID-yjax-vd1r-zua8"},{"vulnerability":"VCID-zgsu-4k3d-93h2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.5"},{"url":"http://public2.vulnerablecode.io/api/packages/18423?format=json","purl":"pkg:pypi/nltk@3.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gac-u2vb-qkcq"},{"vulnerability":"VCID-9z4z-ntd4-j3g1"},{"vulnerability":"VCID-aydp-euhu-3bgh"},{"vulnerability":"VCID-c8kx-p4f2-1fck"},{"vulnerability":"VCID-ebeb-dyr8-9fb1"},{"vulnerability":"VCID-gg3u-72s3-tkfh"},{"vulnerability":"VCID-stbm-19e9-8khz"},{"vulnerability":"VCID-yjax-vd1r-zua8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.6"}],"aliases":["CVE-2021-43854","GHSA-f8m6-h2c7-8h9x","PYSEC-2021-859"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zgsu-4k3d-93h2"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nltk@3.6.1"}