USN-8302-1: NLTK vulnerabilities

It was discovered that NLTK incorrectly validated file paths when opening files using the nltk.util module. An attacker could possibly use this issue to obtain sensitive information. CVE-2026-0846 It was discovered that NLTK incorrectly validated file paths in multiple CorpusReader classes. An...

SUSE CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

UBUNTU-CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-33236

CVE-2026-33236 affects the NLTK downloader in versions up to 3.9.3, where remote XML index processing does not validate the subdir and id attributes. This allows an attacker-controlled XML index server to supply path traversal values (e.g., ../) that can lead to arbitrary directory creation, file...

CVE-2026-33236 NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-2536

A vulnerability was determined in opencc JFlow up to 20260129. This affects the function ImpDone of the file src/main/java/bp/wf/httphandler/WFAdminAttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. The attack may be...

EUVD-2017-16402

Malware in sbrugna...

EUVD-2025-29201

Malicious code in bioql PyPI...

CVE-2025-11140

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed...

CVE-2025-58748 Dataease H2 data source JDBC URL validation bypass leads to remote code execution

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12 the H2 data source implementation H2.java does not verify that a provided JDBC URL starts with jdbc:h2. This lack of validation allows a crafted JDBC configuration that substitutes the Amazon...

CVE-2021-25163

A remote XML external entity vulnerability was discovered in Aruba AirWave Management Platform versions prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability...

Linux Distros Unpatched Vulnerability : CVE-2017-7375

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in libxml2 allows remote XML entity inclusion with default parser flags i.e., when the caller did not request entity substitution, DTD validation, extern...

The vulnerability of the server for the Continuous Integration and Delivery system (CI/CD) of GoCD arises from incorrect restrictions on XML references to external objects. This allows attackers to perform XXE attacks.

The vulnerability of the CI/CD server of GoCD is related to an incorrect restriction on XML references to external objects. Exploiting this vulnerability allows a malicious actor to perform XXE attacks remotely...

SUSE CVE-2008-5024

Mozilla Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 do not properly escape quote characters used for XML processing, which allows remote attackers to conduct XML injection attacks via the default namespace in an E4X...

The vulnerability of the JDBC driver (PgJDBC) for connecting Java programs to the PostgreSQL database allows attackers to perform XXE attacks.

The vulnerability of the JDBC driver PgJDBC for connecting Java programs to the PostgreSQL database is related to incorrect restrictions on XML references to external objects. Exploiting this vulnerability allows a remote attacker to perform XXE attacks...

Xxe

A remote XML external entity XXE vulnerability was discovered in Aruba ClearPass Policy Manager versions: Prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability...

Huawei EulerOS: Security Advisory for libxml2 (EulerOS-SA-2018-1336)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Huawei EulerOS: Security Advisory for libxml2 (EulerOS-SA-2018-1070)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...