Source: nltk Version: 3.9.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nltk. CVE-2026-33230[0]: | NLTK (Natural Language Toolkit) is a suite of open source Python | modules, data sets, and tutorials supporting research and | development in Natural Language Processing. In versions 3.9.3 and | prior, `nltk.app.wordnet_app` contains a reflected cross-site | scripting issue in the `lookup_...` route. A crafted | `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the | response page because attacker-controlled `word` data is reflected | into HTML without escaping. This impacts users running the local | WordNet Browser server and can lead to script execution in the | browser origin of that application. Commit | 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33230 https://www.cve.org/CVERecord?id=CVE-2026-33230 [1] https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7 [2] https://github.com/nltk/nltk/commit/1c3f799607eeb088cab2491dcf806ae83c29ad8f Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- debian-science-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
