NLTK 3.9.3Prior: Remote XML Index Path Traversal via unvalidated subdir/id
CVE-2026-33236 Published on March 20, 2026
NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the `subdir` and `id` attributes when processing remote XML index files. Attackers can control a remote XML index server to provide malicious values containing path traversal sequences (such as `../`), which can lead to arbitrary directory creation, arbitrary file creation, and arbitrary file overwrite. Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8a patches the issue.
Vulnerability Analysis
CVE-2026-33236 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity and availability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-33236 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-33236
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-33236 are published in these products:
Affected Versions
nltk:- Version <= 3.9.3 is affected.
- Version 1776243238 and below * is unaffected.
- Version 1776319185 and below * is unaffected.
- Version 1778262893 and below * is unaffected.
- Version 1778263054 and below * is unaffected.
- Version 1782471606 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.