CVE-2023-27494

Streamlit Cross-site Scripting vulnerability

Description

Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Users of hosted Streamlit app(s) were vulnerable to a reflected XSS vulnerability. An attacker could craft a malicious URL with Javascript payloads to a Streamlit app. The attacker could then trick the user into visiting the malicious URL and, if successful, the server would render the malicious javascript payload as-is, leading to XSS. Version 0.81.0 contains a patch for this vulnerability.

Category

5.9
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.51%
Vendor Advisory github.com
Affected: streamlit streamlit
Published at:
Updated at:

References

Link Tags
https://github.com/streamlit/streamlit/security/advisories/GHSA-9c6g-qpgj-rvxw vendor advisory
https://github.com/streamlit/streamlit/commit/afcf880c60e5d7538936cc2d9721b9e1bc02b075 patch

Frequently Asked Questions

What is the severity of CVE-2023-27494?
CVE-2023-27494 has been scored as a medium severity vulnerability.
How to fix CVE-2023-27494?
To fix CVE-2023-27494, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-27494 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-27494 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-27494?
CVE-2023-27494 affects streamlit streamlit.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.