nltk has 4 known vulnerabilities on the latest version (3.9.4). DepScope rates its health at 60/100 (moderate risk).

What is the latest version of nltk?

The latest version of nltk is 3.9.4, released 2026-03-24.

Does nltk have known vulnerabilities?

Yes. nltk has 4 known vulnerabilities. See depscope.dev/pkg/pypi/nltk for details.

No, nltk is actively maintained. Latest release: 3.9.4 (2026-03-24).

What are alternatives to nltk?

Popular alternatives to nltk in PyPI include: boto3, packaging, idna, certifi, urllib3.

What license does nltk use?

nltk is licensed under Apache License, Version 2.0.

nltk

pypiv3.9.4

Natural Language Toolkit

License Apache License, Version 2.064 versions1 maintainers20 deps14,346,391 weekly dl

/ 100

Health

update required

[email protected] has vulnerabilities — update to latest

Moderate health score (60/100) — verify manually
3 high severity vulnerabilities

Health breakdown0 – 100

20/25

maintenance

20/20

popularity

8/25

security

15/15

maturity

2/15

community

0/15

popularity_floor

Vulnerabilities

3 high1 medium

Advisories (4)

Severity	ID	Summary	Fixed in
high	CVE-2026-33236	NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite	—
high	CVE-2026-0847	NLTK has a Path Traversal issue	—
medium	GHSA-rf74-v2fm-23pw	Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS	—
high	CVE-2026-0846	A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept u	—

Quality signals

OSS Criticality

0.47medium

Health History

Dependency Tree

License Audit

Dependencies (20)

click joblib regex tqdm numpy;python-crfsuite;scikit-learn;scipy;matplotlib;pyparsing;twython;requests;scipy;python-crfsuite;pyparsing;requests;numpy;scikit-learn;twython;matplotlib;

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/pypi/nltk

Browse all pypi packages →

Last updated · 2026-03-24T06:13:38.470142Z

Severity

Summary

Fixed in

high

CVE-2026-33236

NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite

—

high

CVE-2026-0847

NLTK has a Path Traversal issue

—

medium

GHSA-rf74-v2fm-23pw

Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS

—

high

CVE-2026-0846

A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept u

—