Skip to main content

Streamlit

4 CVEs product

Monthly

CVE-2026-10804 PyPI LOW PATCH Monitor

Hash collision vulnerability in Streamlit's caching layer (versions up to 1.53.0) allows a local low-privileged attacker to poison the application cache by supplying crafted PIL palette-mode images or large dataframes that produce identical hash digests for distinct objects. The root cause is twofold: PIL 'P'-mode (palette-indexed) images excluded palette data from the hash computation entirely, and fixed seed values (random_state=0) were used when sampling large pandas, numpy, and polars objects - both enabling deterministic hash collisions. No public exploit identified at time of analysis beyond the public disclosure of the issue. EPSS data is not available, but the CVSS 1.1 score (AV:L/AC:H/PR:L) places real-world risk as very low.

Information Disclosure Streamlit
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2024-42474 PyPI MEDIUM PATCH This Month

Streamlit is a data oriented application development framework for python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Python Microsoft Streamlit
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-27494 PyPI MEDIUM PATCH This Month

Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Streamlit
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-35918 PyPI MEDIUM PATCH This Month

Streamlit is a data oriented application development framework for python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Streamlit
NVD GitHub
CVSS 3.1
6.5
EPSS
1.3%
EPSS 0% CVSS 1.1
LOW PATCH Monitor

Hash collision vulnerability in Streamlit's caching layer (versions up to 1.53.0) allows a local low-privileged attacker to poison the application cache by supplying crafted PIL palette-mode images or large dataframes that produce identical hash digests for distinct objects. The root cause is twofold: PIL 'P'-mode (palette-indexed) images excluded palette data from the hash computation entirely, and fixed seed values (random_state=0) were used when sampling large pandas, numpy, and polars objects - both enabling deterministic hash collisions. No public exploit identified at time of analysis beyond the public disclosure of the issue. EPSS data is not available, but the CVSS 1.1 score (AV:L/AC:H/PR:L) places real-world risk as very low.

Information Disclosure Streamlit
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Streamlit is a data oriented application development framework for python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Python Microsoft +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Streamlit, software for turning data scripts into web applications, had a cross-site scripting (XSS) vulnerability in versions 0.63.0 through 0.80.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Streamlit
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Streamlit is a data oriented application development framework for python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Streamlit
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy