CVE-2026-33230 — Cross-site Scripting in Nltk

CWE-79 — Cross-site Scripting8 documents6 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 98.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nltk Debian Nltk

Timeline

PublishedMar 20

Description

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local Word…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶PyPInltk/nltk< 3.9.4

▶NVDnltk/nltk3.9.3

▶debiandebian/nltk

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-33230: NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Lang↗2026-03-20

▶

OSV

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk↗2026-03-18

▶

GHSA

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk↗2026-03-18

▶

📋Vendor Advisories

Red Hat

nltk: NLTK: Script execution via reflected cross-site scripting in WordNet Browser↗2026-03-20

▶

Debian

CVE-2026-33230: nltk - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data s...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33230 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶