Description
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. Commit bbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw in NLTK's nltk.app.wordnet_app permits an attacker to terminate the WordNet Browser HTTP server without authentication. A remote user can send a crafted GET request "/SHUTDOWN THE SERVER" and the server invokes os._exit(0), immediately terminating the process. Because the server is killed, service availability is lost, effectively a denial of service. The weakness is a missing authentication check around a server control operation (CWE‑306).

Affected Systems

NLTK version 3.9.3 and earlier includes the vulnerable wordnet_app. The vulnerability exists in the default server startup mode of the WordNet Browser HTTP application bundled with the NLTK library. Users relying on NLTK's WordNet Browser for research or production services should verify their NLTK installation and upgrade beyond 3.9.3.

Risk and Exploitability

The CVSS score is 7.5, indicating moderate to high severity. The EPSS score is below 1 %, suggesting limited exploit probability at present, and it is not listed in CISA’s KEV catalog. Attackers can exploit the issue remotely via a simple HTTP GET request without requiring any prior credentials, making the vector likely unauthenticated and network reachable. While the impact is confined to denial of service, it can disrupt research workflows or automated pipelines that depend on the local WordNet service.

Generated by OpenCVE AI on March 23, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit bbaae83db86a0f49e00f5b0db44a7254c268de9b or upgrade to a later NLTK release that fixes the vulnerability.

Generated by OpenCVE AI on March 23, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jm6w-m3j8-898g Unauthenticated remote shutdown in nltk.app.wordnet_app
History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Nltk
Nltk nltk
Vendors & Products Nltk
Nltk nltk

Fri, 20 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. Commit bbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue.
Title NLTK has unauthenticated remote shutdown in nltk.app.wordnet_app
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nltk Nltk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:43:45.724Z

Reserved: 2026-03-18T02:42:27.507Z

Link: CVE-2026-33231

cve-icon Vulnrichment

Updated: 2026-03-25T13:43:42.487Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T23:16:46.850

Modified: 2026-03-23T19:15:05.163

Link: CVE-2026-33231

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T22:45:40Z

Links: CVE-2026-33231 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:08Z

Weaknesses