Description
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue.
Published: 2026-03-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected cross‑site scripting in WordNet Browser
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the lookup_… route of nltk.app.wordnet_app, where a user‑controlled word value is inserted into an HTML response without proper escaping. A malicious actor can create a lookup_<payload> URL that injects arbitrary JavaScript or HTML, leading the browser that renders the WordNet Browser page to execute that payload in the same origin. This can enable the attacker to run arbitrary code in the user’s browser, access session data, or perform actions on behalf of the user.

Affected Systems

NLTK Natural Language Toolkit versions 3.9.3 and earlier that run the wordnet_app module as the WordNet Browser server on any platform supporting Python. The vulnerability affects any user who launches the local WordNet Browser server.

Risk and Exploitability

With a CVSS score of 6.1 the vulnerability is classified as moderate, and an EPSS score below 1 % indicates low likelihood of exploitation. It is not listed in the CISA KEV catalogue. The exploit requires a crafted URL that the attacker can send to the running WordNet Browser server. Based on the description, it is inferred that the server must be reachable to the attacker; local or remote access is possible only if the server is exposed to an untrusted network. The impact remains limited to the browser context of the running application.

Generated by OpenCVE AI on March 23, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NLTK to a version that contains the fix from commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f, which removes the reflected XSS issue.
  • If an immediate upgrade is not feasible, limit the WordNet Browser server’s network access to trusted users only, thereby preventing untrusted URLs from reaching the vulnerable endpoint.
  • Consider running the WordNet Browser under localhost or a restricted network to reduce exposure.

Generated by OpenCVE AI on March 23, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfwx-w7gr-fvh7 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk
History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Nltk
Nltk nltk
Vendors & Products Nltk
Nltk nltk

Fri, 20 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
References

Fri, 20 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue.
Title nltk Vulnerable to Cross-site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Nltk Nltk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T02:07:12.001Z

Reserved: 2026-03-18T02:42:27.507Z

Link: CVE-2026-33230

cve-icon Vulnrichment

Updated: 2026-03-24T02:07:06.975Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:46.680

Modified: 2026-03-23T19:14:50.023

Link: CVE-2026-33230

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T22:43:39Z

Links: CVE-2026-33230 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:10Z

Weaknesses