{"id":"CVE-2023-27494","summary":"Streamlit Cross-site Scripting vulnerability","details":"Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.","aliases":["GHSA-9c6g-qpgj-rvxw","PYSEC-2023-50"],"modified":"2026-04-10T04:56:42.119128Z","published":"2023-03-16T20:29:17.975Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27494.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27494.json"},{"type":"ADVISORY","url":"https://github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27494"},{"type":"FIX","url":"https://github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/streamlit/streamlit","events":[{"introduced":"417b501171938ac556b01db028f61a934f5b4351"},{"fixed":"1de89145c88332020cc9ea896e7836a551034d17"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27494.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"}]}