CVE-2026-12243

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to `nltk.data.load()` or `nltk.data.find()`. The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default `pathsec.ENFORCE=False` setting exacerbates the impact by not blocking the file read at the `open()` stage.
References
Link Resource
https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1 Exploit Mitigation Third Party Advisory
https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1 Exploit Mitigation Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:nltk:nltk:3.9.4:*:*:*:*:*:*:*

History

30 Jun 2026, 20:10

Type Values Removed Values Added
CPE cpe:2.3:a:nltk:nltk:3.9.4:*:*:*:*:*:*:*
First Time Nltk
Nltk nltk
References () https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1 - () https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1 - Exploit, Mitigation, Third Party Advisory

30 Jun 2026, 14:16

Type Values Removed Values Added
References () https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1 - () https://huntr.com/bounties/39aa9354-54ca-4e77-96da-580eb1fe6ed1 -

30 Jun 2026, 01:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-30 01:16

Updated : 2026-06-30 20:10


NVD link : CVE-2026-12243

Mitre link : CVE-2026-12243

CVE.ORG link : CVE-2026-12243


JSON object : View

Products Affected

nltk

  • nltk
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')