Description
Affected versions of plotly.js are vulnerable to cross-site scripting if an attacker can convince a user to visit a malicious plot on a site using this package.
Recommendation
Update the plotly.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.16.0
- Patched version(s): 1.16.0
References
- GHSA-2fqv-h3r5-m4vf
- acloudtree.com
- www.npmjs.com
- help.plot.ly
- CVE-2017-1000006
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - vega-expression - CVE-2025-59840
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
- Cross-site Scripting (XSS) in serve-lite - CVE-2022-25847
You might also like:
- Tags:
- npm
- plotly.js
Anything's wrong? Let us know Last updated on January 09, 2023


