CVE-2026-33230 - Vulnerability Analysis
MediumCVSS: 6.1Last Updated: March 23, 2026
NLTK - Reflected XSS
Published: March 20, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable
Overview
NLTK <= 3.9.3 contains a reflected XSS caused by unescaped attacker-controlled 'word' data in the lookup_... route of nltk.app.wordnet_app, letting remote attackers execute scripts in the browser, exploit requires running the local WordNet Browser server.
Severity & Score
Severity: Medium
CVSS Score: 6.1
Impact
Attackers can execute arbitrary scripts in the browser of users running the local WordNet Browser server, leading to potential session hijacking or data theft.
Mitigation
Update to a version including commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-33230
- Severity
- Medium
- CVSS Score
- 6.1
- Type
- reflected_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N