Description
A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request (`/SHUTDOWN%20THE%20SERVER`) to terminate the process immediately via `os._exit(0)`. This results in a denial of service, impacting service availability. The issue arises due to insufficient authentication and protection mechanisms for critical server functions.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wordnet_app component of the NLTK library contains a flaw that allows an unauthenticated user to terminate the WordNet Browser HTTP server by requesting the special URL /SHUTDOWN THE SERVER. Because the request is accepted on all network interfaces and triggers os._exit(0), the server process is brought down immediately, causing a denial of service. This weakness arises from a missing security check (CWE‑306).

Affected Systems

The issue affects versions of the NLTK library (nltk/nltk) through 3.9.3. Users running any of these releases with the default WordNet Browser HTTP server configuration are vulnerable.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is classified as medium severity. The EPSS score of less than 1 % suggests that exploitation is unlikely at present, and it is not listed in the CISA KEV catalog. Nonetheless, the attack can be launched remotely against any instance where the server is listening on an externally reachable interface; the attacker merely needs to send an unauthenticated GET request targeting /SHUTDOWN THE SERVER.

Generated by OpenCVE AI on June 18, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NLTK to a version that removes the vulnerability (e.g., 3.9.4 or newer).
  • If an upgrade is not possible, reconfigure the WordNet Browser to bind only to localhost (127.0.0.1) or disable the HTTP server entirely.
  • Apply network‑level controls such as firewall rules to block external access to the WordNet Browser HTTP listening port.

Generated by OpenCVE AI on June 18, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Nltk
Nltk nltk/nltk
Vendors & Products Nltk
Nltk nltk/nltk

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request (`/SHUTDOWN%20THE%20SERVER`) to terminate the process immediately via `os._exit(0)`. This results in a denial of service, impacting service availability. The issue arises due to insufficient authentication and protection mechanisms for critical server functions.
Title Unauthenticated Denial of Service in nltk.app.wordnet_app
Weaknesses CWE-306
References
Metrics cvssV3_0

{'score': 7.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-06-17T14:21:08.627Z

Reserved: 2026-06-14T09:15:42.775Z

Link: CVE-2026-12199

cve-icon Vulnrichment

Updated: 2026-06-17T14:21:04.329Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-17T07:13:14Z

Links: CVE-2026-12199 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:15:02Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function