Bug 2449825 (CVE-2026-33230) - CVE-2026-33230 nltk: NLTK: Script execution via reflected cross-site scripting in WordNet Browser
Summary: CVE-2026-33230 nltk: NLTK: Script execution via reflected cross-site scriptin...
Keywords:
Status: NEW
Alias: CVE-2026-33230
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-20 23:02 UTC by OSIDB Bzimport
Modified: 2026-03-23 06:38 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-20 23:02:18 UTC 
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue.
Note You need to log in before you can comment on or make changes to this bug.