CVE-2026-10804

Description

A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.

How to fix CVE-2026-10804

To remediate CVE-2026-10804, upgrade the affected package to a fixed version below.

—upgrade to 1.53.1 or later

Is CVE-2026-10804 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-10804.

Affected packages (1)

from 0, < 1.53.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.7	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References (7)

ADVISORYvuldb.com/cve/CVE-2026-10804
ADVISORYvuldb.com/submit/831508
ADVISORYvuldb.com/vuln/368253
PATCHgithub.com/streamlit/streamlit/issues/14622
PATCHgithub.com/streamlit/streamlit/pull/14635