CVE-2026-33236
Received Received - Intake
Path Traversal in NLTK Downloader Allows Arbitrary File Overwrite

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nltk nltk to 3.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the NLTK (Natural Language Toolkit) downloader in versions 3.9.3 and prior. The downloader does not properly validate the 'subdir' and 'id' attributes when processing remote XML index files. An attacker who controls a remote XML index server can supply malicious values containing path traversal sequences like '../'. This can lead to arbitrary directory creation, file creation, and file overwrite on the system where the downloader runs.


How can this vulnerability impact me? :

The vulnerability can allow an attacker to create or overwrite files and directories arbitrarily on the affected system. This can lead to potential disruption of service, unauthorized modification of files, or execution of malicious code. The CVSS score of 8.1 indicates a high severity with impacts on integrity and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update NLTK to a version later than 3.9.3 where the issue is patched (commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a). This update addresses the improper validation of the `subdir` and `id` attributes in the downloader, preventing path traversal attacks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart