{"id":"CVE-2021-32670","details":"Datasette is an open source multi-tool for exploring and publishing data. The `?_trace=1` debugging feature in Datasette does not correctly escape generated HTML, resulting in a [reflected cross-site scripting](https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks) vulnerability. This vulnerability is particularly relevant if your Datasette installation includes authenticated features using plugins such as [datasette-auth-passwords](https://datasette.io/plugins/datasette-auth-passwords) as an attacker could use the vulnerability to access protected data. Datasette 0.57 and 0.56.1 both include patches for this issue. If you run Datasette behind a proxy you can workaround this issue by rejecting any incoming requests with `?_trace=` or `&_trace=` in their query string parameters.","aliases":["GHSA-gff3-739c-gxfq","GHSA-xw7c-jx9m-xh5g","PYSEC-2021-89"],"modified":"2026-04-10T04:33:19.332855Z","published":"2021-06-07T22:15:07.650Z","related":["GHSA-xw7c-jx9m-xh5g"],"references":[{"type":"ADVISORY","url":"https://github.com/simonw/datasette/security/advisories/GHSA-xw7c-jx9m-xh5g"},{"type":"ADVISORY","url":"https://owasp.org/www-community/attacks/xss/#reflected-xss-attacks"},{"type":"ADVISORY","url":"https://pypi.org/project/datasette/"},{"type":"ADVISORY","url":"https://datasette.io/plugins/datasette-auth-passwords"},{"type":"FIX","url":"https://github.com/simonw/datasette/issues/1360"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/simonw/datasette","events":[{"introduced":"0"},{"fixed":"6536e02f7412591501eeda9b07ef7977246578f2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.56.1"}]}}],"versions":["0.10","0.11","0.12","0.13","0.14","0.15","0.16","0.17","0.18","0.19","0.20","0.21","0.22","0.22.1","0.23","0.23.1","0.23.2","0.24","0.25","0.25.1","0.25.2","0.26","0.26.1","0.26.2","0.27","0.28","0.29","0.29.1","0.29.2","0.29.3","0.30","0.30.1","0.30.2","0.31","0.31.1","0.31.2","0.32","0.33","0.34","0.35","0.36","0.37","0.37.1","0.38","0.39","0.40","0.41","0.42","0.43","0.44","0.45","0.45a0","0.45a1","0.45a2","0.45a3","0.45a4","0.45a5","0.46","0.47","0.47.1","0.47.2","0.47.3","0.48","0.49","0.49.1","0.49a0","0.49a1","0.50","0.50.1","0.50.2","0.50a0","0.50a1","0.51","0.51.1","0.51a0","0.51a1","0.51a2","0.52","0.52.1","0.52.2","0.52.3","0.52.4","0.53","0.54","0.54a0","0.55","0.56","0.7","0.8","0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32670.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}