CVE-2026-12243
HIGH · 7.5Published today with clear PoC mechanism; no KEV yet; strong vendor/defender signal but not mass scanning confirmation.
What: NLTK 3.9.4 path traversal via percent-encoded sequences (..%2f) in nltk.data.load/find, bypassing incomplete regex validation; CVSS 7.5 HIGH.
Why it matters: Published today with working exploitation mechanism documented (regex bypass via URL decoding). Affects NLP web apps, Jupyter notebooks, and CLI tools. Not yet KEV-listed but CVSS 7.5 and clear attack vector (arbitrary file read) warrant immediate triage. Default pathsec.ENFORCE=False setting increases risk.
Where it's seen: Same-day social amplification on Bluesky (eng-language and Russian posts), threat radar alerting, descriptions rehashing NVD details and mitigation advice.
RISK: HIGH — Path traversal enabling arbitrary file read; HIGH CVSS; default insecure config; NLP toolchain exposure.
Description
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to `nltk.data.load()` or `nltk.data.find()`. The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default `pathsec.ENFORCE=False` setting exacerbates the impact by not blocking the file read at the `open()` stage.
CVSS 3.0 breakdown
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- None
- Availability
- None