CVE-2025-14009CRITICAL 10.0EPSS p48.5%

CVE-2025-14009CVE-2025-14009

Description

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

Scoring

CVSS 3.010.0 (CRITICAL)
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.71% probability of exploitation · percentile 48.5% · 2026-06-19T12:03:05Z
Published2026-02-18
Last modified2026-03-06

Underlying weaknesses· 1

CWE-94

References

  1. https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4
  2. https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33236
CVE
CVE-2026-0848
CVE
CVE-2025-4517
CVE
CVE-2025-15031
CVE
CVE-2025-2000
CVE
CVE-2025-10854
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.