Docker
CVE-2026-33230
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 68 pypi packages depend on nltk (35 direct, 34 indirect)
Ecosystem-wide dependent count for version 3.9.4.
DescriptionGitHub Advisory
Summary
nltk.app.wordnet_app contains a reflected cross-site scripting issue in the lookup_... route. A crafted lookup_<payload> URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled word data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application.
Details
The vulnerable flow is in nltk/app/wordnet_app.py:
nltk/app/wordnet_app.py:144- Requests starting with
lookup_are handled as HTML responses: page, word = page_from_href(sp)nltk/app/wordnet_app.py:755page_from_href()callspage_from_reference(Reference.decode(href))nltk/app/wordnet_app.py:769word = href.wordnltk/app/wordnet_app.py:796- If no results are found,
wordis inserted directly into the HTML body: body = "The word or words '%s' were not found in the dictionary." % word
This is inconsistent with the search route, which does escape user input:
nltk/app/wordnet_app.py:136word = html.escape(...)
As a result, a malicious lookup_... payload can inject script into the response page.
The issue is exploitable because:
Reference.decode()accepts attacker-controlled base64-encoded pickle data for the URL state.- The decoded
wordis reflected into HTML withouthtml.escape(). - The server is started with
HTTPServer(("", port), MyServerHandler), so it listens on all interfaces by default, not justlocalhost.
PoC
- Start the WordNet Browser in an isolated Docker environment:
docker run -d --name nltk-wordnet-web -p 8002:8002 \
nltk-sandbox \
python -c "import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8002, False)"- Use the following crafted payload, which decodes to:
("<script>alert(1)</script>", {})Encoded payload:
gAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4=- Request the vulnerable route:
curl -s "http://127.0.0.1:8002/lookup_gAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4="- Observed result:
The word or words '<script>alert(1)</script>' were not found in the dictionary.<img width="867" height="208" alt="127" src="https://github.com/user-attachments/assets/ec09da08-09bc-4fc4-bfc1-c4489e9adaf6" />
I also validated the issue directly at function level in Docker:
import base64
import pickle
from nltk.app.wordnet_app import page_from_href
payload = base64.urlsafe_b64encode(
pickle.dumps(("<script>alert(1)</script>", {}), -1)
).decode()
page, word = page_from_href(payload)
print(word)
print("<script>alert(1)</script>" in page)Observed output:
WORD= <script>alert(1)</script>
HAS_SCRIPT= TrueImpact
This is a reflected XSS issue in the NLTK WordNet Browser web UI.
An attacker who can convince a user to open a crafted lookup_... URL can execute arbitrary JavaScript in the origin of the local WordNet Browser application. This can be used to:
- run arbitrary script in the browser tab
- manipulate the page content shown to the user
- issue same-origin requests to other WordNet Browser routes
- potentially trigger available UI actions in that local app context
This primarily impacts users who run nltk.app.wordnet_app as a local or self-hosted HTTP service and open attacker-controlled links.
AnalysisAI
A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.
Technical ContextAI
The vulnerability resides in the NLTK library (affected CPE: pkg:pip/nltk), specifically in the wordnet_app.py module which provides a web-based interface for browsing WordNet linguistic data. The vulnerable code path involves the lookup_... HTTP route handler that calls page_from_href() to decode base64-encoded pickle data from the URL, extracting a word parameter that is subsequently inserted into HTML response bodies using string formatting (% operator) without invoking html.escape(). This contrasts with the search route which correctly applies html.escape(). The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a well-known XSS vulnerability class. The server binds to all interfaces by default (0.0.0.0) rather than localhost-only, expanding the potential attack surface in networked environments.
RemediationAI
Upgrade the NLTK library to a version that includes patch commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f or later by running 'pip install --upgrade nltk' and verifying the patched version is installed. The fix involves adding html.escape() to the word parameter insertion in the page_from_href() function, mirroring the protection already present in the search route. Until patching is possible, restrict network access to the WordNet Browser server to trusted localhost-only connections by binding to 127.0.0.1 instead of 0.0.0.0, disable the application if not actively needed, and implement a reverse proxy with input validation and output encoding to sanitize reflected parameters. Users should review the vendor advisory at https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7 for additional guidance.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-gfwx-w7gr-fvh7