CVE-2026-33230: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk

March 18, 2026

nltk.app.wordnet_app contains a reflected cross-site scripting issue in the lookup_... route. A crafted lookup_<payload> URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled word data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application.

References

github.com/advisories/GHSA-gfwx-w7gr-fvh7
github.com/nltk/nltk
github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f
github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7
nvd.nist.gov/vuln/detail/CVE-2026-33230

Code Behaviors & Features

Detect and mitigate CVE-2026-33230 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →