PyPI: streamlit

CVE-2023-27494

Safety vulnerability ID: SFTY-20230316-39879

Safety legacy ID: pyup.io-54668

Streamlit affected versions have a cross-site scripting (XSS) vulnerability. Hosted Streamlit app(s) users were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS.

PythonPyPINVDNVDGitHubGHSA
Created at: May 21, 2026Updated at: May 21, 2026

Overview

Streamlit publishes previously-patched Cross-site Scripting vulnerability

Advisory

Streamlit affected versions have a cross-site scripting (XSS) vulnerability. Hosted Streamlit app(s) users were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS.

Affected Package

Affecting streamlit package, versions
>=0.63.0,<0.81.0

Also affects

---

How to Fix

Upgrade
streamlit
to
0.81.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more