Skip to main content

Docker CVE-2026-33230

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 https://github.com/nltk/nltk GHSA-gfwx-w7gr-fvh7
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 20:30 vuln.today
Patch released
Mar 18, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 18, 2026 - 20:23 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 68 pypi packages depend on nltk (35 direct, 34 indirect)

Ecosystem-wide dependent count for version 3.9.4.

DescriptionGitHub Advisory

Summary

nltk.app.wordnet_app contains a reflected cross-site scripting issue in the lookup_... route. A crafted lookup_<payload> URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled word data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application.

Details

The vulnerable flow is in nltk/app/wordnet_app.py:

This is inconsistent with the search route, which does escape user input:

As a result, a malicious lookup_... payload can inject script into the response page.

The issue is exploitable because:

  • Reference.decode() accepts attacker-controlled base64-encoded pickle data for the URL state.
  • The decoded word is reflected into HTML without html.escape().
  • The server is started with HTTPServer(("", port), MyServerHandler), so it listens on all interfaces by default, not just localhost.

PoC

  1. Start the WordNet Browser in an isolated Docker environment:
bash
docker run -d --name nltk-wordnet-web -p 8002:8002 \
  nltk-sandbox \
  python -c "import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8002, False)"
  1. Use the following crafted payload, which decodes to:
python
("<script>alert(1)</script>", {})

Encoded payload:

text
gAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4=
  1. Request the vulnerable route:
bash
curl -s "http://127.0.0.1:8002/lookup_gAWVIQAAAAAAAACMGTxzY3JpcHQ-YWxlcnQoMSk8L3NjcmlwdD6UfZSGlC4="
  1. Observed result:
text
The word or words '<script>alert(1)</script>' were not found in the dictionary.

<img width="867" height="208" alt="127" src="https://github.com/user-attachments/assets/ec09da08-09bc-4fc4-bfc1-c4489e9adaf6" />

I also validated the issue directly at function level in Docker:

python
import base64
import pickle

from nltk.app.wordnet_app import page_from_href

payload = base64.urlsafe_b64encode(
    pickle.dumps(("<script>alert(1)</script>", {}), -1)
).decode()

page, word = page_from_href(payload)
print(word)
print("<script>alert(1)</script>" in page)

Observed output:

text
WORD= <script>alert(1)</script>
HAS_SCRIPT= True

Impact

This is a reflected XSS issue in the NLTK WordNet Browser web UI.

An attacker who can convince a user to open a crafted lookup_... URL can execute arbitrary JavaScript in the origin of the local WordNet Browser application. This can be used to:

  • run arbitrary script in the browser tab
  • manipulate the page content shown to the user
  • issue same-origin requests to other WordNet Browser routes
  • potentially trigger available UI actions in that local app context

This primarily impacts users who run nltk.app.wordnet_app as a local or self-hosted HTTP service and open attacker-controlled links.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.

Technical ContextAI

The vulnerability resides in the NLTK library (affected CPE: pkg:pip/nltk), specifically in the wordnet_app.py module which provides a web-based interface for browsing WordNet linguistic data. The vulnerable code path involves the lookup_... HTTP route handler that calls page_from_href() to decode base64-encoded pickle data from the URL, extracting a word parameter that is subsequently inserted into HTML response bodies using string formatting (% operator) without invoking html.escape(). This contrasts with the search route which correctly applies html.escape(). The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a well-known XSS vulnerability class. The server binds to all interfaces by default (0.0.0.0) rather than localhost-only, expanding the potential attack surface in networked environments.

RemediationAI

Upgrade the NLTK library to a version that includes patch commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f or later by running 'pip install --upgrade nltk' and verifying the patched version is installed. The fix involves adding html.escape() to the word parameter insertion in the page_from_href() function, mirroring the protection already present in the search route. Until patching is possible, restrict network access to the WordNet Browser server to trusted localhost-only connections by binding to 127.0.0.1 instead of 0.0.0.0, disable the application if not actively needed, and implement a reverse proxy with input validation and output encoding to sanitize reflected parameters. Users should review the vendor advisory at https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7 for additional guidance.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33230 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy