VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 17, 2026

Unauthenticated Denial of Service in nltk.app.wordnet_app

CVE-2026-12199

Description

A vulnerability in nltk.app.wordnet_app up to version 3.9.3 allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. The server listens on all interfaces and processes a specific unauthenticated GET request (/SHUTDOWN%20THE%20SERVER) to terminate the process immediately via os._exit(0). This results in a denial of service, impacting service availability. The issue arises due to insufficient authentication and protection mechanisms for critical server functions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"The HTTP server binds to all network interfaces and exposes an unauthenticated shutdown endpoint (`/SHUTDOWN%20THE%20SERVER`) that calls `os._exit(0)`."

Attack vector

An unauthenticated remote attacker who can reach the WordNet Browser HTTP server (which by default listens on all interfaces) sends a simple GET request to `/SHUTDOWN%20THE%20SERVER`. The server immediately terminates the process via `os._exit(0)`, causing a denial of service. No authentication, session, or special network position is required beyond network connectivity to the server's port. [patch_id=6307220]

Affected code

The vulnerability is in `nltk/app/wordnet_app.py` in the `wnb()` function and the `do_GET()` method of `MyServerHandler`. The server binds to all interfaces (`""`) and processes an unauthenticated `GET /SHUTDOWN%20THE%20SERVER` request by calling `os._exit(0)`. [patch_id=6307220] [patch_id=6307221]

What the fix does

Patch [patch_id=6307220] changes the `HTTPServer` bind address from `""` (all interfaces) to `"127.0.0.1"` (localhost only). This prevents any remote client from reaching the server, eliminating the unauthenticated shutdown vector entirely. The commit message explains that the WordNet browser is a local development tool and should not be accessible from the network. Patch [patch_id=6307221] addresses a separate reflected XSS vulnerability by escaping the `nextWord` parameter with `html.escape()` before it is rendered into the HTML response.

Preconditions

  • configThe WordNet Browser HTTP server must be running in its default mode (listening on all interfaces).
  • networkThe attacker must have network connectivity to the server's port.
  • authNo authentication or prior access is required.

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.

CVE-2026-12199 · VYPR