CVE-2026-33236
Received Received - Intake
Path Traversal in NLTK Downloader Allows Arbitrary File Overwrite

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nltk nltk to 3.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the NLTK (Natural Language Toolkit) downloader in versions 3.9.3 and prior. The downloader does not properly validate the 'subdir' and 'id' attributes when processing remote XML index files. An attacker who controls a remote XML index server can supply malicious values containing path traversal sequences like '../'. This can lead to arbitrary directory creation, file creation, and file overwrite on the system where the downloader runs.

Impact Analysis

The vulnerability can allow an attacker to create or overwrite files and directories arbitrarily on the affected system. This can lead to potential disruption of service, unauthorized modification of files, or execution of malicious code. The CVSS score of 8.1 indicates a high severity with impacts on integrity and availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update NLTK to a version later than 3.9.3 where the issue is patched (commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a). This update addresses the improper validation of the `subdir` and `id` attributes in the downloader, preventing path traversal attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart