Description
Affected versions of plotly.js are vulnerable to cross-site scripting if an attacker can convince a user to visit a malicious plot on a site using this package.
Recommendation
Update the plotly.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.16.0
- Patched version(s): 1.16.0
References
- GHSA-2fqv-h3r5-m4vf
- acloudtree.com
- www.npmjs.com
- help.plot.ly
- CVE-2017-1000006
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- @tiptap/extension-link vulnerable to Cross-site Scripting (XSS) - CVE-2025-14284
- Stored Cross-site Scripting (XSS) in excalidraw's web embed component - CVE-2024-32472
- ghtml Cross-Site Scripting (XSS) vulnerability - CVE-2024-37166
- Tags:
- npm
- plotly.js
Anything's wrong? Let us know Last updated on January 09, 2023