Streamlit Cross-site Scripting vulnerability
Description
Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
streamlitPyPI | >= 0.63.0, < 0.81.0 | 0.81.0 |
Affected products
2- streamlit/streamlitv5Range: >= 0.63.0, < 0.81.0
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9c6g-qpgj-rvxwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27494ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/streamlit/PYSEC-2023-50.yamlghsaWEB
- github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075ghsax_refsource_MISCWEB
- github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.