PyPI: nltk
CVE-2026-33230
Safety vulnerability ID: SFTY-20260318-07212
Safety legacy ID: pyup.io-89824
Affected versions of the nltk package are vulnerable to Cross-site Scripting (XSS) due to improper output encoding of user-controlled input. In nltk.app.wordnet_app, requests to the lookup_... route are processed through page_from_href() and page_from_reference(), where the decoded word value is inserted into the HTML response without html.escape(), specifically in the "The word or words '%s' were not found in the dictionary." % word code path.
Overview
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk
Advisory
Affected versions of the nltk package are vulnerable to Cross-site Scripting (XSS) due to improper output encoding of user-controlled input. In nltk.app.wordnet_app, requests to the lookup_... route are processed through page_from_href() and page_from_reference(), where the decoded word value is inserted into the HTML response without html.escape(), specifically in the "The word or words '%s' were not found in the dictionary." % word code path.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260318-07212/CVE-2026-33230
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33230
- https://data.safetycli.com/changelogs/nltk/
- https://github.com/advisories/GHSA-gfwx-w7gr-fvh7
- https://pypi.org/project/nltk
- https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7
- https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f
- https://nvd.nist.gov/vuln/detail/CVE-2026-33230
- https://github.com/nltk/nltk/commit/40d0bc1d484a3458d6a63ecb5ba4957ab16ba14e
- https://github.com/advisories/GHSA-gfwx-w7gr-fvh7
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more