Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/650271?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/650271?format=api", "purl": "pkg:pypi/apache-superset@2.1.1rc2", "type": "pypi", "namespace": "", "name": "apache-superset", "version": "2.1.1rc2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.0.0", "latest_non_vulnerable_version": "6.0.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55518?format=api", "vulnerability_id": "VCID-19em-abzu-5bd5", "summary": "An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error log of the Alert exposing possibly sensitive data.\n\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.\n\nUsers are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27315", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32284", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.3228", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.321", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00131", "scoring_system": "epss", "scoring_elements": "0.32302", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27315" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/28/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/28/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27315", "reference_id": "CVE-2024-27315", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27315" }, { "reference_url": "https://github.com/advisories/GHSA-h7r6-8qmm-hj5r", "reference_id": "GHSA-h7r6-8qmm-hj5r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h7r6-8qmm-hj5r" }, { "reference_url": "https://lists.apache.org/thread/qcwbx7q2s3ynsd405895bx3wcwq32j7z", "reference_id": "qcwbx7q2s3ynsd405895bx3wcwq32j7z", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-27T16:03:10Z/" } ], "url": "https://lists.apache.org/thread/qcwbx7q2s3ynsd405895bx3wcwq32j7z" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29411?format=api", "purl": "pkg:pypi/apache-superset@3.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/29413?format=api", "purl": "pkg:pypi/apache-superset@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.1" } ], "aliases": [ "CVE-2024-27315", "GHSA-h7r6-8qmm-hj5r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-19em-abzu-5bd5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59435?format=api", "vulnerability_id": "VCID-1gqt-cpea-b7ht", "summary": "Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. \n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77963", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77956", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77881", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.7795", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55633" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55633", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55633" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/12/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/12/1" }, { "reference_url": "https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb", "reference_id": "bwmd17fcvljt9q4cgctp4v09zh3qs7fb", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-12T15:27:53Z/" } ], "url": "https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb" }, { "reference_url": "https://github.com/advisories/GHSA-787v-v9vq-4rgv", "reference_id": "GHSA-787v-v9vq-4rgv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-787v-v9vq-4rgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-55633", "GHSA-787v-v9vq-4rgv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1gqt-cpea-b7ht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121409?format=api", "vulnerability_id": "VCID-2bqf-unav-tbfs", "summary": "Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55675", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.49046", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.49033", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48892", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.49028", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55675" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55675", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55675" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/6" }, { "reference_url": "https://github.com/advisories/GHSA-mhpq-m962-mg92", "reference_id": "GHSA-mhpq-m962-mg92", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mhpq-m962-mg92" }, { "reference_url": "https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33", "reference_id": "op681b4kbd7g84tfjf9omz0sxggbcv33", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:47:53Z/" } ], "url": "https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377635?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55675", "GHSA-mhpq-m962-mg92" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2bqf-unav-tbfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66962?format=api", "vulnerability_id": "VCID-35bq-93h8-qufg", "summary": "Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23969", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21453", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21624", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21637", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.2165", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23969" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/4" }, { "reference_url": "https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd", "reference_id": "2q22sp4oj3krcgdkxchhtht0vgwp2wnd", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:03:24Z/" } ], "url": "https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23969", "reference_id": "CVE-2026-23969", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23969" }, { "reference_url": "https://github.com/advisories/GHSA-48m2-v2r8-h23m", "reference_id": "GHSA-48m2-v2r8-h23m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-48m2-v2r8-h23m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39576?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2026-23969", "GHSA-48m2-v2r8-h23m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-35bq-93h8-qufg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/356675?format=api", "vulnerability_id": "VCID-4axb-e4nm-3fcy", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42502", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00099", "scoring_system": "epss", "scoring_elements": "0.27068", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00099", "scoring_system": "epss", "scoring_elements": "0.27271", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00099", "scoring_system": "epss", "scoring_elements": "0.2729", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00099", "scoring_system": "epss", "scoring_elements": "0.27272", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42502" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42502", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42502" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/28/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/28/3" }, { "reference_url": "https://github.com/advisories/GHSA-hc74-9vjm-c9xv", "reference_id": "GHSA-hc74-9vjm-c9xv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hc74-9vjm-c9xv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31859?format=api", "purl": "pkg:pypi/apache-superset@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8qnw-zrab-y3ac" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-s7bz-64kr-9yfs" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.0" } ], "aliases": [ "CVE-2023-42502", "GHSA-hc74-9vjm-c9xv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4axb-e4nm-3fcy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66895?format=api", "vulnerability_id": "VCID-8bqq-wrc2-b3de", "summary": "An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23982", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13535", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13512", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13418", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13539", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23982" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/6" }, { "reference_url": "https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp", "reference_id": "9lvbzwkw4rxgdvbpfvnnnfcll92v75fp", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:44:20Z/" } ], "url": "https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23982", "reference_id": "CVE-2026-23982", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23982" }, { "reference_url": "https://github.com/advisories/GHSA-3m2g-v7jf-7fxc", "reference_id": "GHSA-3m2g-v7jf-7fxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m2g-v7jf-7fxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23982", "GHSA-3m2g-v7jf-7fxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8bqq-wrc2-b3de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/33743?format=api", "vulnerability_id": "VCID-8qnw-zrab-y3ac", "summary": "This is a duplicate for CVE-2023-46104. With correct CVE version ranges for affected Apache Superset.\n \nUncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. \nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23952", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0138", "scoring_system": "epss", "scoring_elements": "0.80754", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0138", "scoring_system": "epss", "scoring_elements": "0.80763", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0138", "scoring_system": "epss", "scoring_elements": "0.80752", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0138", "scoring_system": "epss", "scoring_elements": "0.80692", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23952" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/14/2", "reference_id": "2", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:21:25Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/14/2" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/14/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:21:25Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/14/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23952", "reference_id": "CVE-2024-23952", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23952" }, { "reference_url": "https://github.com/advisories/GHSA-v7q3-5rqm-x7m9", "reference_id": "GHSA-v7q3-5rqm-x7m9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v7q3-5rqm-x7m9" }, { "reference_url": "https://lists.apache.org/thread/zc58zvm4414molqn2m4d4vkrbrsxdksx", "reference_id": "zc58zvm4414molqn2m4d4vkrbrsxdksx", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-14T19:21:25Z/" } ], "url": "https://lists.apache.org/thread/zc58zvm4414molqn2m4d4vkrbrsxdksx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31858?format=api", "purl": "pkg:pypi/apache-superset@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-4axb-e4nm-3fcy" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-98eq-5ynn-2ba5" }, { "vulnerability": "VCID-c1du-my8w-3kc4" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/31860?format=api", "purl": "pkg:pypi/apache-superset@3.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-s7bz-64kr-9yfs" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.1" } ], "aliases": [ "CVE-2024-23952", "GHSA-v7q3-5rqm-x7m9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8qnw-zrab-y3ac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39948?format=api", "vulnerability_id": "VCID-8s2r-g7nq-9qcm", "summary": "An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2.\n\nUsers are recommended to upgrade to version 3.1.2 or above, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28148", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23713", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23895", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23909", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23918", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28148" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28148", "reference_id": "CVE-2024-28148", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28148" }, { "reference_url": "https://github.com/advisories/GHSA-299q-3p96-5898", "reference_id": "GHSA-299q-3p96-5898", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-299q-3p96-5898" }, { "reference_url": "https://lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgo", "reference_id": "n27wlbd05oc6bgjh28d5pxzsrrph8dgo", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T18:25:54Z/" } ], "url": "https://lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgo" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30933?format=api", "purl": "pkg:pypi/apache-superset@3.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/32253?format=api", "purl": "pkg:pypi/apache-superset@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.0" } ], "aliases": [ "CVE-2024-28148", "GHSA-299q-3p96-5898" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8s2r-g7nq-9qcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/356676?format=api", "vulnerability_id": "VCID-98eq-5ynn-2ba5", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42505", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13258", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13364", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.1337", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13346", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42505" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/bd0fhtfzrtgo1q8x35tpm8ms144d1t2y", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/bd0fhtfzrtgo1q8x35tpm8ms144d1t2y" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42505", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42505" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/28/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/28/5" }, { "reference_url": "https://github.com/advisories/GHSA-fgpw-4w69-j256", "reference_id": "GHSA-fgpw-4w69-j256", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fgpw-4w69-j256" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31859?format=api", "purl": "pkg:pypi/apache-superset@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8qnw-zrab-y3ac" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-s7bz-64kr-9yfs" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.0" } ], "aliases": [ "CVE-2023-42505", "GHSA-fgpw-4w69-j256" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-98eq-5ynn-2ba5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/138837?format=api", "vulnerability_id": "VCID-annr-p6ed-wbaz", "summary": "If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend.\n\nThe Superset metadata db is an 'internal' component that is typically \nonly accessible directly by the system administrator and the superset \nprocess itself. Gaining access to that database should\n be difficult and require significant privileges.\n\nThis vulnerability impacts Apache Superset versions 1.5.0 up to and including 2.1.0. Users are recommended to upgrade to version 2.1.1 or later.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37941", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.84244", "scoring_system": "epss", "scoring_elements": "0.99332", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.84244", "scoring_system": "epss", "scoring_elements": "0.99334", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.84244", "scoring_system": "epss", "scoring_elements": "0.99335", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37941" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37941", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37941" }, { "reference_url": "https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h", "reference_id": "6qk1zscc06yogxxfgz2bh2bvz6vh9g7h", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T18:55:32Z/" } ], "url": "https://lists.apache.org/thread/6qk1zscc06yogxxfgz2bh2bvz6vh9g7h" }, { "reference_url": "http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html", "reference_id": "Apache-Superset-2.0.0-Remote-Code-Execution.html", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-27T18:55:32Z/" } ], "url": "http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html" }, { "reference_url": "https://github.com/advisories/GHSA-fj4x-m62j-wvwg", "reference_id": "GHSA-fj4x-m62j-wvwg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fj4x-m62j-wvwg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/379698?format=api", "purl": "pkg:pypi/apache-superset@2.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-4axb-e4nm-3fcy" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8qnw-zrab-y3ac" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-98eq-5ynn-2ba5" }, { "vulnerability": "VCID-c1du-my8w-3kc4" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fuze-h6b7-p7ej" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-meyp-4j5x-sfbt" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-s7bz-64kr-9yfs" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.1" } ], "aliases": [ "CVE-2023-37941", "GHSA-fj4x-m62j-wvwg" ], "risk_score": 10.0, "exploitability": "2.0", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-annr-p6ed-wbaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/135602?format=api", "vulnerability_id": "VCID-c1du-my8w-3kc4", "summary": "An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.\n\nThis issue affects Apache Superset: before 3.0.0", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42504", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0029", "scoring_system": "epss", "scoring_elements": "0.52909", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0029", "scoring_system": "epss", "scoring_elements": "0.52906", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0029", "scoring_system": "epss", "scoring_elements": "0.52924", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0029", "scoring_system": "epss", "scoring_elements": "0.52781", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42504" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42504", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42504" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/28/6", "reference_id": "6", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-20T18:13:10Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/28/6" }, { "reference_url": "https://github.com/advisories/GHSA-3hp7-4qq4-v5c6", "reference_id": "GHSA-3hp7-4qq4-v5c6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3hp7-4qq4-v5c6" }, { "reference_url": "https://lists.apache.org/thread/yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6l", "reference_id": "yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6l", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-20T18:13:10Z/" } ], "url": "https://lists.apache.org/thread/yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6l" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31859?format=api", "purl": "pkg:pypi/apache-superset@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8qnw-zrab-y3ac" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-s7bz-64kr-9yfs" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.0" } ], "aliases": [ "CVE-2023-42504", "GHSA-3hp7-4qq4-v5c6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c1du-my8w-3kc4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44343?format=api", "vulnerability_id": "VCID-czv8-b1v4-s3gv", "summary": "Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.\n\n issue affects Apache Superset: from 2.0.0 before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53949", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56828", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56703", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56838", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56824", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53949" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53949", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53949" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/09/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/09/4" }, { "reference_url": "https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d", "reference_id": "d3scbwmfpzbpm6npnzdw5y4owtqqyq8d", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-09T15:01:51Z/" } ], "url": "https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d" }, { "reference_url": "https://github.com/advisories/GHSA-35fc-9hrj-3585", "reference_id": "GHSA-35fc-9hrj-3585", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35fc-9hrj-3585" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53949", "GHSA-35fc-9hrj-3585" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-czv8-b1v4-s3gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121655?format=api", "vulnerability_id": "VCID-djyw-btmk-tyc1", "summary": "When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.\n\nThis issue affects Apache Superset: before 4.1.3.\n\nUsers are recommended to upgrade to version 4.1.3, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55673", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75893", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75887", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75808", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75879", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55673" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55673", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55673" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/3" }, { "reference_url": "https://github.com/advisories/GHSA-9g5x-mm39-wg9r", "reference_id": "GHSA-9g5x-mm39-wg9r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9g5x-mm39-wg9r" }, { "reference_url": "https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8", "reference_id": "h2hw756wk4sj4z49blvzkr5fntl9hlf8", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T14:02:38Z/" } ], "url": "https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377620?format=api", "purl": "pkg:pypi/apache-superset@4.1.3.post1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.3.post1" } ], "aliases": [ "CVE-2025-55673", "GHSA-9g5x-mm39-wg9r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-djyw-btmk-tyc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46704?format=api", "vulnerability_id": "VCID-f3cr-98hh-qygb", "summary": "An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.\n\nThis issue affects Apache Superset: before 4.0.2.\n\nUsers are recommended to upgrade to version 4.0.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98352", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98359", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98358", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39887" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/5", "reference_id": "5", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39887", "reference_id": "CVE-2024-39887", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39887" }, { "reference_url": "https://github.com/advisories/GHSA-2q6j-vpvr-6pvj", "reference_id": "GHSA-2q6j-vpvr-6pvj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2q6j-vpvr-6pvj" }, { "reference_url": "https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz", "reference_id": "j55vm41jg3l0x6w49zrmvbf3k0ts5fqz", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/" } ], "url": "https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32665?format=api", "purl": "pkg:pypi/apache-superset@4.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2" } ], "aliases": [ "CVE-2024-39887", "GHSA-2q6j-vpvr-6pvj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f3cr-98hh-qygb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/135563?format=api", "vulnerability_id": "VCID-fuze-h6b7-p7ej", "summary": "Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42501", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27605", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27615", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.2763", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00101", "scoring_system": "epss", "scoring_elements": "0.27402", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42501" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42501", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42501" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/27/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T19:01:45Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/27/3" }, { "reference_url": "https://github.com/advisories/GHSA-vv65-fjfj-4736", "reference_id": "GHSA-vv65-fjfj-4736", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vv65-fjfj-4736" }, { "reference_url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh", "reference_id": "vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T19:01:45Z/" } ], "url": "https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31858?format=api", "purl": "pkg:pypi/apache-superset@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-4axb-e4nm-3fcy" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-98eq-5ynn-2ba5" }, { "vulnerability": "VCID-c1du-my8w-3kc4" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.2" } ], "aliases": [ "CVE-2023-42501", "GHSA-vv65-fjfj-4736" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fuze-h6b7-p7ej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61980?format=api", "vulnerability_id": "VCID-fw5g-fb97-5qgv", "summary": "A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analytics database.This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.\n\n\nUsers are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24772", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00575", "scoring_system": "epss", "scoring_elements": "0.69333", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00575", "scoring_system": "epss", "scoring_elements": "0.69342", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00575", "scoring_system": "epss", "scoring_elements": "0.6924", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00575", "scoring_system": "epss", "scoring_elements": "0.69345", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24772" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/28/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/28/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24772", "reference_id": "CVE-2024-24772", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24772" }, { "reference_url": "https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5", "reference_id": "gfl3ckwy6y9tpz9jmpv62orh2q346sn5", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-26T17:55:04Z/" } ], "url": "https://lists.apache.org/thread/gfl3ckwy6y9tpz9jmpv62orh2q346sn5" }, { "reference_url": "https://github.com/advisories/GHSA-m6jm-3v38-76j4", "reference_id": "GHSA-m6jm-3v38-76j4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m6jm-3v38-76j4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29411?format=api", "purl": "pkg:pypi/apache-superset@3.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/29413?format=api", "purl": "pkg:pypi/apache-superset@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.1" } ], "aliases": [ "CVE-2024-24772", "GHSA-m6jm-3v38-76j4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fw5g-fb97-5qgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41369?format=api", "vulnerability_id": "VCID-h8px-dtx8-7ucd", "summary": "A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereby gaining ownership of the object. However, it's important to note that access to the analytical data of these charts and dashboards would still be subject to validation based on data access privileges.\n\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.Users are recommended to upgrade to version 3.1.1, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26016", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48443", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48585", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48599", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00249", "scoring_system": "epss", "scoring_elements": "0.48581", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26016" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/28/7", "reference_id": "7", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T18:55:52Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/28/7" }, { "reference_url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s", "reference_id": "76v1jjcylgk4p3m0258qr359ook3vl8s", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T18:55:52Z/" } ], "url": "https://lists.apache.org/thread/76v1jjcylgk4p3m0258qr359ook3vl8s" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26016", "reference_id": "CVE-2024-26016", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26016" }, { "reference_url": "https://github.com/advisories/GHSA-3v9r-885j-762g", "reference_id": "GHSA-3v9r-885j-762g", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3v9r-885j-762g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29411?format=api", "purl": "pkg:pypi/apache-superset@3.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/29413?format=api", "purl": "pkg:pypi/apache-superset@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.1" } ], "aliases": [ "CVE-2024-26016", "GHSA-3v9r-885j-762g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h8px-dtx8-7ucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/357681?format=api", "vulnerability_id": "VCID-jbtq-unbj-nyez", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49736", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66233", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66328", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66341", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66339", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49736" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/1d403dab9822a8cee6108669c53e53fad881c751", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/1d403dab9822a8cee6108669c53e53fad881c751" }, { "reference_url": "https://github.com/apache/superset/commit/34101594e284ab3acce692f41aff7759ccb4bf1d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/34101594e284ab3acce692f41aff7759ccb4bf1d" }, { "reference_url": "https://github.com/apache/superset/pull/25779", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/pull/25779" }, { "reference_url": "https://lists.apache.org/thread/1kf481bgs3451qcz6hfhobs7xvhp8n1p", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/1kf481bgs3451qcz6hfhobs7xvhp8n1p" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49736", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49736" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/19/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/19/2" }, { "reference_url": "https://github.com/advisories/GHSA-jfxj-xf67-x723", "reference_id": "GHSA-jfxj-xf67-x723", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jfxj-xf67-x723" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/380149?format=api", "purl": "pkg:pypi/apache-superset@2.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/380150?format=api", "purl": "pkg:pypi/apache-superset@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-s7bz-64kr-9yfs" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.2" } ], "aliases": [ "CVE-2023-49736", "GHSA-jfxj-xf67-x723" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jbtq-unbj-nyez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/356796?format=api", "vulnerability_id": "VCID-meyp-4j5x-sfbt", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43701", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47068", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47209", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47223", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00237", "scoring_system": "epss", "scoring_elements": "0.47205", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43701" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43701", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43701" }, { "reference_url": "https://www.openwall.com/lists/oss-security/2023/11/27/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.openwall.com/lists/oss-security/2023/11/27/4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/27/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/27/4" }, { "reference_url": "https://github.com/advisories/GHSA-wq8q-99p5-xfrw", "reference_id": "GHSA-wq8q-99p5-xfrw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wq8q-99p5-xfrw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31858?format=api", "purl": "pkg:pypi/apache-superset@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-4axb-e4nm-3fcy" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-98eq-5ynn-2ba5" }, { "vulnerability": "VCID-c1du-my8w-3kc4" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.2" } ], "aliases": [ "CVE-2023-43701", "GHSA-wq8q-99p5-xfrw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-meyp-4j5x-sfbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121675?format=api", "vulnerability_id": "VCID-mjty-hv8c-mbck", "summary": "A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55674", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.5972", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.5971", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59599", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59708", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55674" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55674", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55674" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/5" }, { "reference_url": "https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo", "reference_id": "cn49ps15ny3g2b1qzdg5mj7hp47p5jdo", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:49:40Z/" } ], "url": "https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo" }, { "reference_url": "https://github.com/advisories/GHSA-fxgf-3xh6-m2pp", "reference_id": "GHSA-fxgf-3xh6-m2pp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxgf-3xh6-m2pp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377635?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55674", "GHSA-fxgf-3xh6-m2pp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mjty-hv8c-mbck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44491?format=api", "vulnerability_id": "VCID-mwbp-vuvw-mua1", "summary": "Generation of Error Message Containing analytics metadata Information in Apache Superset.\n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53948", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.3865", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38466", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38661", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38639", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53948" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53948", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53948" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/09/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/09/3" }, { "reference_url": "https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf", "reference_id": "8howpf3png0wrgpls46ggk441oczlfvf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:04:23Z/" } ], "url": "https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf" }, { "reference_url": "https://github.com/advisories/GHSA-2cx9-54hp-r698", "reference_id": "GHSA-2cx9-54hp-r698", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cx9-54hp-r698" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53948", "GHSA-2cx9-54hp-r698" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mwbp-vuvw-mua1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/118233?format=api", "vulnerability_id": "VCID-pvr6-v3ds-sqcr", "summary": "An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48912", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56887", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56876", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56751", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56872", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48912" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48912", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48912" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/05/30/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/05/30/3" }, { "reference_url": "https://github.com/advisories/GHSA-8w7f-8pr9-xgwj", "reference_id": "GHSA-8w7f-8pr9-xgwj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8w7f-8pr9-xgwj" }, { "reference_url": "https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135", "reference_id": "ms2t2oq218hb7l628trsogo4fj7h1135", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:55:47Z/" } ], "url": "https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39576?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2025-48912", "GHSA-8w7f-8pr9-xgwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pvr6-v3ds-sqcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/133132?format=api", "vulnerability_id": "VCID-q2f7-jq7w-vkc5", "summary": "A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.\n\nFor 2.X versions, users should change their config to include:\n\nTALISMAN_CONFIG = {\n \"content_security_policy\": {\n \"base-uri\": [\"'self'\"],\n \"default-src\": [\"'self'\"],\n \"img-src\": [\"'self'\", \"blob:\", \"data:\"],\n \"worker-src\": [\"'self'\", \"blob:\"],\n \"connect-src\": [\n \"'self'\",\n \" https://api.mapbox.com\" https://api.mapbox.com\" ;,\n \" https://events.mapbox.com\" https://events.mapbox.com\" ;,\n ],\n \"object-src\": \"'none'\",\n \"style-src\": [\n \"'self'\",\n \"'unsafe-inline'\",\n ],\n \"script-src\": [\"'self'\", \"'strict-dynamic'\"],\n },\n \"content_security_policy_nonce_in\": [\"script-src\"],\n \"force_https\": False,\n \"session_cookie_secure\": False,\n}", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49657", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61191", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61081", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61195", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61187", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49657" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/01/23/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/01/23/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49657", "reference_id": "CVE-2023-49657", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49657" }, { "reference_url": "https://github.com/advisories/GHSA-rwhh-6x83-84v6", "reference_id": "GHSA-rwhh-6x83-84v6", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rwhh-6x83-84v6" }, { "reference_url": "https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx", "reference_id": "wjyvz8om9nwd396lh0bt156mtwjxpsvx", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T16:03:28Z/" } ], "url": "https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/28540?format=api", "purl": "pkg:pypi/apache-superset@3.0.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.3" } ], "aliases": [ "CVE-2023-49657", "GHSA-rwhh-6x83-84v6" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q2f7-jq7w-vkc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61646?format=api", "vulnerability_id": "VCID-rkx2-ky5w-myce", "summary": "Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope.\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.\n\nUsers are recommended to upgrade to version 3.1.1, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24773", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35496", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35502", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35518", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35318", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24773" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/28/4", "reference_id": "4", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T20:46:05Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/28/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24773", "reference_id": "CVE-2024-24773", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24773" }, { "reference_url": "https://github.com/advisories/GHSA-5474-f7g5-273q", "reference_id": "GHSA-5474-f7g5-273q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5474-f7g5-273q" }, { "reference_url": "https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501", "reference_id": "h66fy6nj41cfx07zh7l552w6dmtjh501", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-15T20:46:05Z/" } ], "url": "https://lists.apache.org/thread/h66fy6nj41cfx07zh7l552w6dmtjh501" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29411?format=api", "purl": "pkg:pypi/apache-superset@3.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/29413?format=api", "purl": "pkg:pypi/apache-superset@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.1" } ], "aliases": [ "CVE-2024-24773", "GHSA-5474-f7g5-273q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rkx2-ky5w-myce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/132563?format=api", "vulnerability_id": "VCID-s7bz-64kr-9yfs", "summary": "Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. \nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46104", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69723", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69825", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69828", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00592", "scoring_system": "epss", "scoring_elements": "0.69813", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46104" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/7c23cb0b3fd224c320b35f05e74b572033569154", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/7c23cb0b3fd224c320b35f05e74b572033569154" }, { "reference_url": "https://github.com/apache/superset/commit/f473d13d0d89de5990209ff81b17dfe2cee884d3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/f473d13d0d89de5990209ff81b17dfe2cee884d3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46104", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46104" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/19/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/19/1" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/14/2", "reference_id": "2", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/14/2" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/14/3", "reference_id": "3", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/14/3" }, { "reference_url": "https://github.com/advisories/GHSA-95mg-jgfx-54v9", "reference_id": "GHSA-95mg-jgfx-54v9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-95mg-jgfx-54v9" }, { "reference_url": "https://lists.apache.org/thread/yxbxg4wryb7cb7wyybk11l5nqy0rsrvl", "reference_id": "yxbxg4wryb7cb7wyybk11l5nqy0rsrvl", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/" } ], "url": "https://lists.apache.org/thread/yxbxg4wryb7cb7wyybk11l5nqy0rsrvl" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/31858?format=api", "purl": "pkg:pypi/apache-superset@2.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-4axb-e4nm-3fcy" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-98eq-5ynn-2ba5" }, { "vulnerability": "VCID-c1du-my8w-3kc4" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-jbtq-unbj-nyez" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-ss9d-ku99-b3gf" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/380328?format=api", "purl": "pkg:pypi/apache-superset@3.1.0rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.0rc1" } ], "aliases": [ "CVE-2023-46104", "GHSA-95mg-jgfx-54v9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s7bz-64kr-9yfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/357680?format=api", "vulnerability_id": "VCID-ss9d-ku99-b3gf", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49734", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33845", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34022", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34045", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34024", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49734" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/5198279a2ba41ab3e89bd9d7750694179d3f9fe6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/5198279a2ba41ab3e89bd9d7750694179d3f9fe6" }, { "reference_url": "https://github.com/apache/superset/commit/cb6de0a9c9f505ee3f26e79ca9bfa5f3901528a0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/cb6de0a9c9f505ee3f26e79ca9bfa5f3901528a0" }, { "reference_url": "https://github.com/apache/superset/pull/25843", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/pull/25843" }, { "reference_url": "https://lists.apache.org/thread/985h6ltvtbvdoysso780kkj7x744cds5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/985h6ltvtbvdoysso780kkj7x744cds5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49734", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49734" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/12/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2023/12/19/3" }, { "reference_url": "https://github.com/advisories/GHSA-g49j-j489-3xpf", "reference_id": "GHSA-g49j-j489-3xpf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g49j-j489-3xpf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/380149?format=api", "purl": "pkg:pypi/apache-superset@2.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/380150?format=api", "purl": "pkg:pypi/apache-superset@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19em-abzu-5bd5" }, { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-fw5g-fb97-5qgv" }, { "vulnerability": "VCID-h8px-dtx8-7ucd" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-q2f7-jq7w-vkc5" }, { "vulnerability": "VCID-rkx2-ky5w-myce" }, { "vulnerability": "VCID-s7bz-64kr-9yfs" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-uxws-xum3-efgv" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.2" } ], "aliases": [ "CVE-2023-49734", "GHSA-g49j-j489-3xpf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ss9d-ku99-b3gf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66654?format=api", "vulnerability_id": "VCID-tvfr-mp56-b7f4", "summary": "Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23980", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12784", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1287", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12879", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12889", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23980" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23980", "reference_id": "CVE-2026-23980", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23980" }, { "reference_url": "https://github.com/advisories/GHSA-gvxg-9hqx-f4rg", "reference_id": "GHSA-gvxg-9hqx-f4rg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gvxg-9hqx-f4rg" }, { "reference_url": "https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4", "reference_id": "h4l02zw1pr2vywv0dc5zjn3grdcdhwf4", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:05:27Z/" } ], "url": "https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23980", "GHSA-gvxg-9hqx-f4rg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tvfr-mp56-b7f4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66947?format=api", "vulnerability_id": "VCID-ubwg-81j2-8yhd", "summary": "An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.\nWhile the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23984", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12856", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12943", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12952", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12963", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23984" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/8" }, { "reference_url": "https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26", "reference_id": "72cmgxtvp9pclto4ln1chbs1227nwd26", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:51:19Z/" } ], "url": "https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23984", "reference_id": "CVE-2026-23984", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23984" }, { "reference_url": "https://github.com/advisories/GHSA-mwf2-qr4v-94h2", "reference_id": "GHSA-mwf2-qr4v-94h2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mwf2-qr4v-94h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23984", "GHSA-mwf2-qr4v-94h2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ubwg-81j2-8yhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66960?format=api", "vulnerability_id": "VCID-us7y-vvzr-2fea", "summary": "A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.\nWhen these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data \n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23983", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17696", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17688", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17536", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17713", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23983" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/7", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/7" }, { "reference_url": "https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww", "reference_id": "62mgbc5hc8026skp69kb6vqozj3pr5ww", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:46:54Z/" } ], "url": "https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23983", "reference_id": "CVE-2026-23983", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23983" }, { "reference_url": "https://github.com/advisories/GHSA-h294-8fxm-m2pj", "reference_id": "GHSA-h294-8fxm-m2pj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h294-8fxm-m2pj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23983", "GHSA-h294-8fxm-m2pj" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-us7y-vvzr-2fea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/61796?format=api", "vulnerability_id": "VCID-uxws-xum3-efgv", "summary": "Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data.\nThis issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1.\n\nUsers are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24779", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32612", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.3261", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32633", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32432", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24779" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/02/28/6", "reference_id": "6", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:17:04Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/02/28/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24779", "reference_id": "CVE-2024-24779", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24779" }, { "reference_url": "https://github.com/advisories/GHSA-wr6g-9wcr-cmqj", "reference_id": "GHSA-wr6g-9wcr-cmqj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wr6g-9wcr-cmqj" }, { "reference_url": "https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq", "reference_id": "xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:17:04Z/" } ], "url": "https://lists.apache.org/thread/xzhz1m5bb9zxhyqgoy4q2d689b3zp4pq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29411?format=api", "purl": "pkg:pypi/apache-superset@3.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/29413?format=api", "purl": "pkg:pypi/apache-superset@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-8s2r-g7nq-9qcm" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.1" } ], "aliases": [ "CVE-2024-24779", "GHSA-wr6g-9wcr-cmqj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uxws-xum3-efgv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121536?format=api", "vulnerability_id": "VCID-v735-muyq-h7hr", "summary": "A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55672", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44475", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44316", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44469", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44488", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55672" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55672", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55672" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/4" }, { "reference_url": "https://github.com/advisories/GHSA-fj97-2v9x-w5m4", "reference_id": "GHSA-fj97-2v9x-w5m4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fj97-2v9x-w5m4" }, { "reference_url": "https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj", "reference_id": "rvh7fdjfzxzjhcfwoz7twc2brhvochdj", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:52:16Z/" } ], "url": "https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377635?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55672", "GHSA-fj97-2v9x-w5m4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v735-muyq-h7hr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49457?format=api", "vulnerability_id": "VCID-vafu-fk53-6yd4", "summary": "Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0\n\nUsers are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34693", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.12622", "scoring_system": "epss", "scoring_elements": "0.94122", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.12622", "scoring_system": "epss", "scoring_elements": "0.9415", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.12622", "scoring_system": "epss", "scoring_elements": "0.94148", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.12622", "scoring_system": "epss", "scoring_elements": "0.94143", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34693" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/06/20/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T12:55:23Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/06/20/1" }, { "reference_url": "https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon", "reference_id": "1803x1s34m7r71h1k0q1njol8k6fmyon", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T12:55:23Z/" } ], "url": "https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34693", "reference_id": "CVE-2024-34693", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34693" }, { "reference_url": "https://github.com/advisories/GHSA-hcr7-cqwc-q5gq", "reference_id": "GHSA-hcr7-cqwc-q5gq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hcr7-cqwc-q5gq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32255?format=api", "purl": "pkg:pypi/apache-superset@3.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/32254?format=api", "purl": "pkg:pypi/apache-superset@4.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.1" } ], "aliases": [ "CVE-2024-34693", "GHSA-hcr7-cqwc-q5gq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vafu-fk53-6yd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44744?format=api", "vulnerability_id": "VCID-xsmf-gtwu-1kae", "summary": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.\n\nThis issue affects Apache Superset: <4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53947", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61214", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61219", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61108", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61223", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53947" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53947", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53947" }, { "reference_url": "https://github.com/advisories/GHSA-92qf-8gh3-gwcm", "reference_id": "GHSA-92qf-8gh3-gwcm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-92qf-8gh3-gwcm" }, { "reference_url": "https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn", "reference_id": "hj3gfsjh67vqw12nlrshlsym4bkopjmn", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:05:04Z/" } ], "url": "https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53947", "GHSA-92qf-8gh3-gwcm" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xsmf-gtwu-1kae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/116858?format=api", "vulnerability_id": "VCID-zvzt-19xv-6ubd", "summary": "Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.\n\nThis issue affects Apache Superset: through 4.1.1.\n\nUsers are recommended to upgrade to version 4.1.2 or above, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23681", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23671", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23484", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.2369", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27696" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/05/12/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/05/12/3" }, { "reference_url": "https://github.com/advisories/GHSA-w6c7-j32f-rq8j", "reference_id": "GHSA-w6c7-j32f-rq8j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w6c7-j32f-rq8j" }, { "reference_url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413", "reference_id": "k2od03bxnxs6vcp80sr03ywcxl194413", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T13:15:33Z/" } ], "url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39576?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2025-27696", "GHSA-w6c7-j32f-rq8j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zvzt-19xv-6ubd" } ], "fixing_vulnerabilities": [], "risk_score": "10.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@2.1.1rc2" }