Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-9z4z-ntd4-j3g1
Vulnerability ID VCID-9z4z-ntd4-j3g1
Aliases CVE-2024-39705
GHSA-cgvx-9447-vcch
PYSEC-2024-167
Summary NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-300 Channel Accessible by Non-Endpoint
CWE-502 Deserialization of Untrusted Data
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.10792 https://api.first.org/data/v1/epss?cve=CVE-2024-39705
epss 0.10792 https://api.first.org/data/v1/epss?cve=CVE-2024-39705
epss 0.10792 https://api.first.org/data/v1/epss?cve=CVE-2024-39705
epss 0.10792 https://api.first.org/data/v1/epss?cve=CVE-2024-39705
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-cgvx-9447-vcch
cvssv3.1 7.5 https://github.com/nltk/nltk
cvssv4 7.5 https://github.com/nltk/nltk
generic_textual HIGH https://github.com/nltk/nltk
cvssv3.1 7.5 https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
cvssv4 7.5 https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
generic_textual HIGH https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
cvssv3.1 7.5 https://github.com/nltk/nltk/issues/2522
cvssv3.1 9.8 https://github.com/nltk/nltk/issues/2522
cvssv4 7.5 https://github.com/nltk/nltk/issues/2522
generic_textual HIGH https://github.com/nltk/nltk/issues/2522
ssvc Track https://github.com/nltk/nltk/issues/2522
cvssv3.1 7.5 https://github.com/nltk/nltk/issues/3266
cvssv3.1 9.8 https://github.com/nltk/nltk/issues/3266
cvssv4 7.5 https://github.com/nltk/nltk/issues/3266
generic_textual HIGH https://github.com/nltk/nltk/issues/3266
ssvc Track https://github.com/nltk/nltk/issues/3266
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
cvssv4 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2024-39705
cvssv4 7.5 https://nvd.nist.gov/vuln/detail/CVE-2024-39705
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-39705
cvssv3.1 7.5 https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
cvssv3.1 9.8 https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
cvssv4 7.5 https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
generic_textual HIGH https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
ssvc Track https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-39705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39705
https://github.com/nltk/nltk
https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
1074423 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074423
2522 https://github.com/nltk/nltk/issues/2522
3266 https://github.com/nltk/nltk/issues/3266
CVE-2024-39705 https://nvd.nist.gov/vuln/detail/CVE-2024-39705
GHSA-cgvx-9447-vcch https://github.com/advisories/GHSA-cgvx-9447-vcch
rce-in-python-nltk-cve-2024-39705-39706 https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/nltk/nltk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/nltk/nltk
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/nltk/nltk/issues/2522
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/nltk/nltk/issues/2522
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/nltk/nltk/issues/2522
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/ Found at https://github.com/nltk/nltk/issues/2522
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/nltk/nltk/issues/3266
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/nltk/nltk/issues/3266
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/nltk/nltk/issues/3266
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/ Found at https://github.com/nltk/nltk/issues/3266
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-39705
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-39705
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-06-28T14:53:05Z/ Found at https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
Exploit Prediction Scoring System (EPSS)
Percentile 0.93517
EPSS Score 0.10792
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-10T18:37:34.237871+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2024/39xxx/CVE-2024-39705.json 38.6.0