wid-sec-w-2026-0895 · Published 2026-03-26 · View on BSI CERT-Bund ↗

IBM App Connect Enterprise: Multiple Vulnerabilities

CVSS 9.2 CRITICAL

Risk Summary

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue.

CVEs (4)

CVE-2026-33230 CVE-2026-33231 CVE-2026-33236 CVE-2026-1615

Affected Vendors

IBM

Affected Products (6)

IBM · App Connect Enterprise <11.6.0

IBM · App Connect Enterprise 11.6.0

IBM · App Connect Enterprise <12.21.0

IBM · App Connect Enterprise 12.21.0

IBM · App Connect Enterprise LTS <12.0.22

IBM · App Connect Enterprise LTS 12.0.22

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more