Moderate severityNVD Advisory· Published Mar 20, 2026· Updated Mar 24, 2026

nltk Vulnerable to Cross-site Scripting

CVE-2026-33230

Description

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, nltk.app.wordnet_app contains a reflected cross-site scripting issue in the lookup_... route. A crafted lookup_<payload> URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled word data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
nltkPyPI	< 3.9.4	3.9.4

Affected products

Nltk/Nltkv5
Range: <= 3.9.3

Patches

40d0bc1d484a

Merge commit from fork

https://github.com/nltk/nltkalvationsMar 18, 2026via ghsa

commit

1 file changed · +3 −1

nltk/app/wordnet_app.py+3 −1 modified

@@ -793,7 +793,9 @@ def page_from_reference(href):
                 except KeyError:
                     pass
     if not body:
-        body = "The word or words '%s' were not found in the dictionary." % word
+        body = "The word or words '%s' were not found in the dictionary." % html.escape(
+            word
+        )
     return body, word

1c3f799607ee

Fix XSS in wordnet_app lookup route

https://github.com/nltk/nltknatgillinMar 18, 2026via ghsa

commit

1 file changed · +3 −1

nltk/app/wordnet_app.py+3 −1 modified

@@ -793,7 +793,9 @@ def page_from_reference(href):
                 except KeyError:
                     pass
     if not body:
-        body = "The word or words '%s' were not found in the dictionary." % word
+        body = "The word or words '%s' were not found in the dictionary." % html.escape(
+            word
+        )
     return body, word

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gfwx-w7gr-fvh7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33230ghsaADVISORY
github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8fghsax_refsource_MISCWEB
github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14eghsax_refsource_MISCWEB
github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000