CVE-2026-33231

Name of the Vulnerable Software and Affected Versions NLTK versions 3.9.3 and prior

Description NLTK’s nltk.app.wordnet app component allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. A simple GET /SHUTDOWN%20THE%20SERVER request to the ''/SHUTDOWN%20THE%20SERVER'' API endpoint causes the process to terminate immediately via the os. exit(0) function, resulting in a denial of service. The vulnerable logic resides in the nltk/app/wordnet app.py file, specifically in the MyServerHandler class. The server listens on all interfaces and checks for the exact path SHUTDOWN THE SERVER. When the server mode is set to False (the default), the handler directly terminates the process.

Recommendations Versions prior to 3.9.3 should be updated to a newer version that includes the fix.