Source: nltk Version: 3.9.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nltk. CVE-2026-12199[0]: | A vulnerability in `nltk.app.wordnet_app` up to version 3.9.3 allows | unauthenticated remote shutdown of the local WordNet Browser HTTP | server when started in its default mode. The server listens on all | interfaces and processes a specific unauthenticated GET request | (`/SHUTDOWN%20THE%20SERVER`) to terminate the process immediately | via `os._exit(0)`. This results in a denial of service, impacting | service availability. The issue arises due to insufficient | authentication and protection mechanisms for critical server | functions. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-12199 https://www.cve.org/CVERecord?id=CVE-2026-12199 [1] https://huntr.com/bounties/cee4ca6a-d17f-4746-abad-c68119633d37 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
