CVE-2026-33230

Name of the Vulnerable Software and Affected Versions NLTK versions 3.9.3 and prior

Description NLTK (Natural Language Toolkit) contains a reflected cross-site scripting (XSS) issue in the lookup ... route of nltk.app.wordnet app. A crafted lookup <payload> URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled word data is reflected into HTML without proper escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. The issue is exploitable because Reference.decode() accepts attacker-controlled base64-encoded pickle data for the URL state, and the decoded word is reflected into HTML without escaping. The vulnerable code is located in nltk/app/wordnet app.py at lines 144, 755, 769, and 796. The API endpoint affected is /lookup <payload>. The vulnerable parameter is word.

Recommendations Versions prior to 3.9.3 should be updated to address this issue.