{"id":81258,"date":"2026-06-30T03:44:35","date_gmt":"2026-06-30T00:14:35","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-12243-path-traversal-via-percent-encoding-in-nltk-data-find-and-nltk-data-load\/"},"modified":"2026-06-30T03:44:35","modified_gmt":"2026-06-30T00:14:35","slug":"cve-2026-12243-path-traversal-via-percent-encoding-in-nltk-data-find-and-nltk-data-load","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-12243-path-traversal-via-percent-encoding-in-nltk-data-find-and-nltk-data-load\/","title":{"rendered":"CVE-2026-12243 &#8211; Path Traversal via Percent-Encoding in nltk.data.find() and nltk.data.load()"},"content":{"rendered":"<p>CVE ID :CVE-2026-12243<\/p>\n<p>  Published : June 30, 2026, 12:14 a.m. | 1\u00a0hour, 31\u00a0minutes ago<\/p>\n<p>  Description :NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk\/data.py` checks for literal `..\/` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protection. This vulnerability enables an attacker to read arbitrary files accessible to the Python process by controlling the resource name parameter passed to `nltk.data.load()` or `nltk.data.find()`. The issue affects applications that rely on NLTK for resource loading, including NLP web applications, Jupyter notebooks, and CLI tools. The default `pathsec.ENFORCE=False` setting exacerbates the impact by not blocking the file read at the `open()` stage.<\/p>\n<p>  Severity: 0.0 | NA<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-12243 Published : June 30, 2026, 12:14 a.m. | 1\u00a0hour, 31\u00a0minutes ago Description :NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk\/data.py` checks for literal `..\/` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-81258","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81258","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=81258"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81258\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=81258"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=81258"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=81258"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}