Show Sidebar Hide Sidebar

Plotly Security Advisory - XSS in Plotly web interface

Summary of issue

Two separate Cross-Site Scripting (XSS) vulnerabilities have been fixed in the Plotly web interface.

  1. By tricking an unsuspecting user into following a specially crafted link to Plotly Cloud, an attacker could perform any action any action using the victim’s credentials on that site.

  2. An attacker could trick an unsuspecting user into viewing a specially crafted dashboard on Plotly Cloud or a Plotly On-Premise server. The vulnerability would have allowed the attacker to perform any action using the victim’s credentials on that site.

Thanks to Nassim Bouali and Mahmoud G. for reporting these issues.

Affected products and versions


General notes regarding security reporting

Please send all security reports concerning Plotly security products to

Return to the main Plotly Security Advisories page

Still need help?
Contact Us

For guaranteed 24 hour response turnarounds, upgrade to our Premium or Enterprise plans.