Unauthenticated Remote Shutdown Vulnerability in NLTK WordNet Browser
CVE-2026-12199

7.5HIGH

Key Information:

Vendor: Nltk
Status: Nltk/nltk
Vendor: CVE Published:; 17 June 2026

What is CVE-2026-12199?

A vulnerability exists in the NLTK WordNet Browser, allowing unauthenticated users to remotely shut down the local HTTP server. When the server operates in its default configuration, it listens for all network interfaces and can be targeted with a specific unauthenticated GET request (/SHUTDOWN%20THE%20SERVER). This request leads to an immediate termination of the server process via a direct operating system call, resulting in Denial of Service and affecting the availability of the service. The root cause lies in inadequate authentication safeguards and insufficient protection for essential server functionalities.

Affected Version(s)

nltk/nltk <= unspecified

References

https://huntr.com/bounties/cee4ca6a-d17f-4746-abad-c68119...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 14, 2026

CVE-2026-12199 Data

JSON

Nltk

What is CVE-2026-12199?

Affected Version(s)

References

CVSS V3.0

Timeline