{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "streamlit",
"purl": "pkg:pypi/streamlit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.54.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1",
"0.11.0",
"0.12.2",
"0.12.3",
"0.12.4",
"0.13.0",
"0.13.1",
"0.13.3",
"0.13.5",
"0.14.2",
"0.15.0",
"0.15.1",
"0.15.2",
"0.15.3",
"0.15.4",
"0.15.5",
"0.15.6",
"0.16.0",
"0.16.1",
"0.16.2",
"0.16.3",
"0.17.0",
"0.17.1",
"0.17.2",
"0.18.0",
"0.18.1",
"0.19.0",
"0.19.1",
"0.2",
"0.20.0",
"0.21.0",
"0.22.0",
"0.22.1",
"0.22.2",
"0.23.0",
"0.24.0",
"0.24.1",
"0.24.2",
"0.24.3",
"0.25.0",
"0.26.0",
"0.26.1",
"0.27.0",
"0.28.0",
"0.29.0",
"0.3",
"0.30.0",
"0.31.0",
"0.32.0",
"0.33.0",
"0.34.0",
"0.35.0",
"0.36.0",
"0.37.0",
"0.4",
"0.40.0",
"0.40.1",
"0.41.0",
"0.42.0",
"0.43.0",
"0.43.1",
"0.43.2",
"0.44.0",
"0.45.0",
"0.46.0",
"0.47.0",
"0.47.1",
"0.47.2",
"0.47.3",
"0.47.4",
"0.48.0",
"0.48.1",
"0.49.0",
"0.5",
"0.50.0",
"0.50.1",
"0.50.2",
"0.51.0",
"0.52.0",
"0.52.1",
"0.52.2",
"0.53.0",
"0.54.0",
"0.55.0",
"0.55.2",
"0.56.0",
"0.57.0",
"0.57.1",
"0.57.2",
"0.57.3",
"0.58.0",
"0.59.0",
"0.6",
"0.60.0",
"0.61.0",
"0.62.0",
"0.62.1",
"0.63.0",
"0.63.1",
"0.64.0",
"0.65.0",
"0.65.1",
"0.65.2",
"0.66.0",
"0.67.0",
"0.67.1",
"0.68.0",
"0.68.1",
"0.69.0",
"0.69.1",
"0.69.2",
"0.7",
"0.70.0",
"0.71.0",
"0.72.0",
"0.73.0",
"0.73.1",
"0.74.0",
"0.74.1",
"0.75.0",
"0.76.0",
"0.77.0",
"0.78.0",
"0.79.0",
"0.8",
"0.8.2",
"0.80.0",
"0.81.0",
"0.81.1",
"0.82.0",
"0.83.0",
"0.84.0",
"0.84.1",
"0.84.2",
"0.85.0",
"0.85.1",
"0.86.0",
"0.87.0",
"0.88.0",
"0.89.0",
"0.9.0",
"1.0.0",
"1.1.0",
"1.10.0",
"1.10.0rc1",
"1.10.0rc2",
"1.11.0",
"1.11.0rc1",
"1.11.1",
"1.11.1rc1",
"1.12.0",
"1.12.0rc1",
"1.12.0rc2",
"1.12.1",
"1.12.1rc1",
"1.12.2",
"1.12.2rc1",
"1.12.2rc2",
"1.13.0",
"1.13.0rc1",
"1.13.0rc2",
"1.14.0",
"1.14.0rc1",
"1.14.1",
"1.14.1rc1",
"1.15.0",
"1.15.1",
"1.15.2",
"1.15.2rc1",
"1.16.0",
"1.17.0",
"1.18.0",
"1.18.1",
"1.18.1rc1",
"1.19.0",
"1.2.0",
"1.20.0",
"1.21.0",
"1.22.0",
"1.23.0",
"1.23.1",
"1.24.0",
"1.24.1",
"1.25.0",
"1.26.0",
"1.26.1",
"1.27.0",
"1.27.1",
"1.27.2",
"1.28.0",
"1.28.1",
"1.28.2",
"1.29.0",
"1.3.0",
"1.3.1",
"1.30.0",
"1.31.0",
"1.31.1",
"1.32.0",
"1.32.1",
"1.32.2",
"1.32.2rc1",
"1.33.0",
"1.34.0",
"1.35.0",
"1.36.0",
"1.37.0",
"1.37.1",
"1.38.0",
"1.39.0",
"1.39.1",
"1.4.0",
"1.40.0",
"1.40.1",
"1.40.2",
"1.41.0",
"1.41.1",
"1.42.0",
"1.42.1",
"1.42.2",
"1.43.0",
"1.43.1",
"1.43.2",
"1.44.0",
"1.44.1",
"1.45.0",
"1.45.1",
"1.46.0",
"1.46.1",
"1.47.0",
"1.47.1",
"1.48.0",
"1.48.1",
"1.49.0",
"1.49.1",
"1.5.0",
"1.5.1",
"1.50.0",
"1.51.0",
"1.52.0",
"1.52.1",
"1.52.2",
"1.53.0",
"1.53.1",
"1.6.0",
"1.6.0rc3",
"1.6.0rc4",
"1.7.0",
"1.8.0",
"1.8.0rc1",
"1.8.1",
"1.8.1rc1",
"1.9.0",
"1.9.0rc1",
"1.9.1",
"1.9.1rc1",
"1.9.1rc2",
"1.9.2",
"1.9.2rc1"
]
}
],
"aliases": [
"CVE-2026-33682",
"GHSA-7p48-42j8-8846"
],
"details": "Streamlit is a data oriented application development framework for python. Streamlit Open Source versions prior to 1.54.0 running on Windows hosts have an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the `ComponentRequestHandler`, filesystem paths are resolved using `os.path.realpath()` or `Path.resolve()` before sufficient validation occurs. On Windows systems, supplying a malicious UNC path (e.g., `\\\\attacker-controlled-host\\share`) can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted. This behavior may allow an attacker to perform NTLM relay attacks against other internal services and/or identify internally reachable SMB hosts via timing analysis. The vulnerability has been fixed in Streamlit Open Source version 1.54.0.",
"id": "PYSEC-2026-2285",
"modified": "2026-07-13T05:51:38.318773Z",
"published": "2026-03-26T22:16:30.880Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/streamlit/streamlit/releases/tag/1.54.0"
},
{
"type": "ADVISORY",
"url": "https://github.com/streamlit/streamlit/security/advisories/GHSA-7p48-42j8-8846"
},
{
"type": "FIX",
"url": "https://github.com/streamlit/streamlit/commit/23692ca70b2f2ac720c72d1feb4f190c9d6eed76"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}