Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue.