SCA: security update for nltk (GHSA-7p94-766c-hgjp)

high Tenable Cloud Security Plugin ID 437996

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The
_unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or
security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted
by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages
are trusted and extracts them without validation. If a malicious package contains Python files, such as
__init__.py, these files are executed automatically upon import, leading to remote code execution. This
issue can result in full system compromise, including file system access, network access, and potential
persistence mechanisms. (CVE-2025-14009)

Solution

Update the nltk library and its related packages to version 3.9.3 or later.

See Also

https://github.com/advisories/GHSA-7p94-766c-hgjp

Plugin Details

Severity: High

ID: 437996

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 2/27/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.03

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-14009

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/18/2026

Vulnerability Publication Date: 2/18/2026

Reference Information

CVE: CVE-2025-14009

cwe: CWE-94