Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/715519?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/715519?format=api", "purl": "pkg:pypi/apache-superset@4.0.0rc2", "type": "pypi", "namespace": "", "name": "apache-superset", "version": "4.0.0rc2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.0.0", "latest_non_vulnerable_version": "6.0.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/59435?format=api", "vulnerability_id": "VCID-1gqt-cpea-b7ht", "summary": "Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. \n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77963", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77956", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77881", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.7795", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55633" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55633", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55633" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/12/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/12/1" }, { "reference_url": "https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb", "reference_id": "bwmd17fcvljt9q4cgctp4v09zh3qs7fb", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-12T15:27:53Z/" } ], "url": "https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb" }, { "reference_url": "https://github.com/advisories/GHSA-787v-v9vq-4rgv", "reference_id": "GHSA-787v-v9vq-4rgv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-787v-v9vq-4rgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-55633", "GHSA-787v-v9vq-4rgv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1gqt-cpea-b7ht" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121409?format=api", "vulnerability_id": "VCID-2bqf-unav-tbfs", "summary": "Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55675", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.49046", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.49033", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.48892", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00253", "scoring_system": "epss", "scoring_elements": "0.49028", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55675" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55675", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55675" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/6" }, { "reference_url": "https://github.com/advisories/GHSA-mhpq-m962-mg92", "reference_id": "GHSA-mhpq-m962-mg92", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mhpq-m962-mg92" }, { "reference_url": "https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33", "reference_id": "op681b4kbd7g84tfjf9omz0sxggbcv33", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:47:53Z/" } ], "url": "https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377635?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55675", "GHSA-mhpq-m962-mg92" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2bqf-unav-tbfs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66962?format=api", "vulnerability_id": "VCID-35bq-93h8-qufg", "summary": "Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23969", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21453", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21624", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21637", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.2165", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23969" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/4" }, { "reference_url": "https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd", "reference_id": "2q22sp4oj3krcgdkxchhtht0vgwp2wnd", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:03:24Z/" } ], "url": "https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23969", "reference_id": "CVE-2026-23969", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23969" }, { "reference_url": "https://github.com/advisories/GHSA-48m2-v2r8-h23m", "reference_id": "GHSA-48m2-v2r8-h23m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-48m2-v2r8-h23m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39576?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2026-23969", "GHSA-48m2-v2r8-h23m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-35bq-93h8-qufg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66895?format=api", "vulnerability_id": "VCID-8bqq-wrc2-b3de", "summary": "An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23982", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13535", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13512", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13418", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13539", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23982" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/6" }, { "reference_url": "https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp", "reference_id": "9lvbzwkw4rxgdvbpfvnnnfcll92v75fp", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:44:20Z/" } ], "url": "https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23982", "reference_id": "CVE-2026-23982", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23982" }, { "reference_url": "https://github.com/advisories/GHSA-3m2g-v7jf-7fxc", "reference_id": "GHSA-3m2g-v7jf-7fxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m2g-v7jf-7fxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23982", "GHSA-3m2g-v7jf-7fxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8bqq-wrc2-b3de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39948?format=api", "vulnerability_id": "VCID-8s2r-g7nq-9qcm", "summary": "An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2.\n\nUsers are recommended to upgrade to version 3.1.2 or above, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28148", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23713", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23895", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23909", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23918", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28148" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28148", "reference_id": "CVE-2024-28148", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28148" }, { "reference_url": "https://github.com/advisories/GHSA-299q-3p96-5898", "reference_id": "GHSA-299q-3p96-5898", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-299q-3p96-5898" }, { "reference_url": "https://lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgo", "reference_id": "n27wlbd05oc6bgjh28d5pxzsrrph8dgo", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T18:25:54Z/" } ], "url": "https://lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgo" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32253?format=api", "purl": "pkg:pypi/apache-superset@4.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-f3cr-98hh-qygb" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-vafu-fk53-6yd4" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.0" } ], "aliases": [ "CVE-2024-28148", "GHSA-299q-3p96-5898" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8s2r-g7nq-9qcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44343?format=api", "vulnerability_id": "VCID-czv8-b1v4-s3gv", "summary": "Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.\n\n issue affects Apache Superset: from 2.0.0 before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53949", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56828", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56703", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56838", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56824", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53949" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53949", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53949" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/09/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/09/4" }, { "reference_url": "https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d", "reference_id": "d3scbwmfpzbpm6npnzdw5y4owtqqyq8d", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-09T15:01:51Z/" } ], "url": "https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d" }, { "reference_url": "https://github.com/advisories/GHSA-35fc-9hrj-3585", "reference_id": "GHSA-35fc-9hrj-3585", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35fc-9hrj-3585" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53949", "GHSA-35fc-9hrj-3585" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-czv8-b1v4-s3gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121655?format=api", "vulnerability_id": "VCID-djyw-btmk-tyc1", "summary": "When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.\n\nThis issue affects Apache Superset: before 4.1.3.\n\nUsers are recommended to upgrade to version 4.1.3, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55673", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75893", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75887", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75808", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00881", "scoring_system": "epss", "scoring_elements": "0.75879", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55673" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55673", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55673" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/3" }, { "reference_url": "https://github.com/advisories/GHSA-9g5x-mm39-wg9r", "reference_id": "GHSA-9g5x-mm39-wg9r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9g5x-mm39-wg9r" }, { "reference_url": "https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8", "reference_id": "h2hw756wk4sj4z49blvzkr5fntl9hlf8", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T14:02:38Z/" } ], "url": "https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377620?format=api", "purl": "pkg:pypi/apache-superset@4.1.3.post1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.3.post1" } ], "aliases": [ "CVE-2025-55673", "GHSA-9g5x-mm39-wg9r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-djyw-btmk-tyc1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46704?format=api", "vulnerability_id": "VCID-f3cr-98hh-qygb", "summary": "An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.\n\nThis issue affects Apache Superset: before 4.0.2.\n\nUsers are recommended to upgrade to version 4.0.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98352", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98359", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98358", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39887" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/5", "reference_id": "5", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39887", "reference_id": "CVE-2024-39887", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39887" }, { "reference_url": "https://github.com/advisories/GHSA-2q6j-vpvr-6pvj", "reference_id": "GHSA-2q6j-vpvr-6pvj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2q6j-vpvr-6pvj" }, { "reference_url": "https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz", "reference_id": "j55vm41jg3l0x6w49zrmvbf3k0ts5fqz", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/" } ], "url": "https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32665?format=api", "purl": "pkg:pypi/apache-superset@4.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1gqt-cpea-b7ht" }, { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-czv8-b1v4-s3gv" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-mwbp-vuvw-mua1" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-xsmf-gtwu-1kae" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2" } ], "aliases": [ "CVE-2024-39887", "GHSA-2q6j-vpvr-6pvj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f3cr-98hh-qygb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121675?format=api", "vulnerability_id": "VCID-mjty-hv8c-mbck", "summary": "A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55674", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.5972", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.5971", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59599", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59708", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55674" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55674", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55674" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/5" }, { "reference_url": "https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo", "reference_id": "cn49ps15ny3g2b1qzdg5mj7hp47p5jdo", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:49:40Z/" } ], "url": "https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo" }, { "reference_url": "https://github.com/advisories/GHSA-fxgf-3xh6-m2pp", "reference_id": "GHSA-fxgf-3xh6-m2pp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxgf-3xh6-m2pp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377635?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55674", "GHSA-fxgf-3xh6-m2pp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mjty-hv8c-mbck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44491?format=api", "vulnerability_id": "VCID-mwbp-vuvw-mua1", "summary": "Generation of Error Message Containing analytics metadata Information in Apache Superset.\n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53948", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.3865", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38466", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38661", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38639", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53948" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53948", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53948" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/09/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/09/3" }, { "reference_url": "https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf", "reference_id": "8howpf3png0wrgpls46ggk441oczlfvf", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:04:23Z/" } ], "url": "https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf" }, { "reference_url": "https://github.com/advisories/GHSA-2cx9-54hp-r698", "reference_id": "GHSA-2cx9-54hp-r698", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cx9-54hp-r698" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53948", "GHSA-2cx9-54hp-r698" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mwbp-vuvw-mua1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/118233?format=api", "vulnerability_id": "VCID-pvr6-v3ds-sqcr", "summary": "An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48912", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56887", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56876", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56751", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56872", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48912" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48912", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48912" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/05/30/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/05/30/3" }, { "reference_url": "https://github.com/advisories/GHSA-8w7f-8pr9-xgwj", "reference_id": "GHSA-8w7f-8pr9-xgwj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8w7f-8pr9-xgwj" }, { "reference_url": "https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135", "reference_id": "ms2t2oq218hb7l628trsogo4fj7h1135", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:55:47Z/" } ], "url": "https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39576?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2025-48912", "GHSA-8w7f-8pr9-xgwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pvr6-v3ds-sqcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66654?format=api", "vulnerability_id": "VCID-tvfr-mp56-b7f4", "summary": "Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23980", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12784", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1287", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12879", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12889", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23980" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23980", "reference_id": "CVE-2026-23980", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23980" }, { "reference_url": "https://github.com/advisories/GHSA-gvxg-9hqx-f4rg", "reference_id": "GHSA-gvxg-9hqx-f4rg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gvxg-9hqx-f4rg" }, { "reference_url": "https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4", "reference_id": "h4l02zw1pr2vywv0dc5zjn3grdcdhwf4", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:05:27Z/" } ], "url": "https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23980", "GHSA-gvxg-9hqx-f4rg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tvfr-mp56-b7f4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66947?format=api", "vulnerability_id": "VCID-ubwg-81j2-8yhd", "summary": "An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.\nWhile the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23984", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12856", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12943", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12952", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12963", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23984" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/8" }, { "reference_url": "https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26", "reference_id": "72cmgxtvp9pclto4ln1chbs1227nwd26", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:51:19Z/" } ], "url": "https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23984", "reference_id": "CVE-2026-23984", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23984" }, { "reference_url": "https://github.com/advisories/GHSA-mwf2-qr4v-94h2", "reference_id": "GHSA-mwf2-qr4v-94h2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mwf2-qr4v-94h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23984", "GHSA-mwf2-qr4v-94h2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ubwg-81j2-8yhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66960?format=api", "vulnerability_id": "VCID-us7y-vvzr-2fea", "summary": "A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.\nWhen these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data \n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23983", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17696", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17688", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17536", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17713", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23983" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/7", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/7" }, { "reference_url": "https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww", "reference_id": "62mgbc5hc8026skp69kb6vqozj3pr5ww", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:46:54Z/" } ], "url": "https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23983", "reference_id": "CVE-2026-23983", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23983" }, { "reference_url": "https://github.com/advisories/GHSA-h294-8fxm-m2pj", "reference_id": "GHSA-h294-8fxm-m2pj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h294-8fxm-m2pj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39575?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23983", "GHSA-h294-8fxm-m2pj" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-us7y-vvzr-2fea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/121536?format=api", "vulnerability_id": "VCID-v735-muyq-h7hr", "summary": "A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55672", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44475", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44316", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44469", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00217", "scoring_system": "epss", "scoring_elements": "0.44488", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55672" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55672", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55672" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/4" }, { "reference_url": "https://github.com/advisories/GHSA-fj97-2v9x-w5m4", "reference_id": "GHSA-fj97-2v9x-w5m4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fj97-2v9x-w5m4" }, { "reference_url": "https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj", "reference_id": "rvh7fdjfzxzjhcfwoz7twc2brhvochdj", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:52:16Z/" } ], "url": "https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377635?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55672", "GHSA-fj97-2v9x-w5m4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v735-muyq-h7hr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44744?format=api", "vulnerability_id": "VCID-xsmf-gtwu-1kae", "summary": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.\n\nThis issue affects Apache Superset: <4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53947", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61214", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61219", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61108", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61223", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53947" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53947", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53947" }, { "reference_url": "https://github.com/advisories/GHSA-92qf-8gh3-gwcm", "reference_id": "GHSA-92qf-8gh3-gwcm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-92qf-8gh3-gwcm" }, { "reference_url": "https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn", "reference_id": "hj3gfsjh67vqw12nlrshlsym4bkopjmn", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:05:04Z/" } ], "url": "https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/372313?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-35bq-93h8-qufg" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-pvr6-v3ds-sqcr" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" }, { "vulnerability": "VCID-zvzt-19xv-6ubd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53947", "GHSA-92qf-8gh3-gwcm" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xsmf-gtwu-1kae" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/116858?format=api", "vulnerability_id": "VCID-zvzt-19xv-6ubd", "summary": "Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.\n\nThis issue affects Apache Superset: through 4.1.1.\n\nUsers are recommended to upgrade to version 4.1.2 or above, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23681", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23671", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23484", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.2369", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27696" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/05/12/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/05/12/3" }, { "reference_url": "https://github.com/advisories/GHSA-w6c7-j32f-rq8j", "reference_id": "GHSA-w6c7-j32f-rq8j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w6c7-j32f-rq8j" }, { "reference_url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413", "reference_id": "k2od03bxnxs6vcp80sr03ywcxl194413", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T13:15:33Z/" } ], "url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39576?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2bqf-unav-tbfs" }, { "vulnerability": "VCID-8bqq-wrc2-b3de" }, { "vulnerability": "VCID-djyw-btmk-tyc1" }, { "vulnerability": "VCID-mjty-hv8c-mbck" }, { "vulnerability": "VCID-tvfr-mp56-b7f4" }, { "vulnerability": "VCID-ubwg-81j2-8yhd" }, { "vulnerability": "VCID-us7y-vvzr-2fea" }, { "vulnerability": "VCID-v735-muyq-h7hr" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2025-27696", "GHSA-w6c7-j32f-rq8j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zvzt-19xv-6ubd" } ], "fixing_vulnerabilities": [], "risk_score": "4.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.0rc2" }