{"url":"http://public2.vulnerablecode.io/api/packages/32255?format=json","purl":"pkg:pypi/apache-superset@3.1.3","type":"pypi","namespace":"","name":"apache-superset","version":"3.1.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.0.0","latest_non_vulnerable_version":"6.0.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59435?format=json","vulnerability_id":"VCID-1gqt-cpea-b7ht","summary":"Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. \n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55633","reference_id":"","reference_type":"","scores":[{"value":"0.01043","scoring_system":"epss","scoring_elements":"0.77963","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01043","scoring_system":"epss","scoring_elements":"0.77956","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01043","scoring_system":"epss","scoring_elements":"0.77881","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01043","scoring_system":"epss","scoring_elements":"0.7795","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-55633"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55633","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55633"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/12/12/1","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/12/12/1"},{"reference_url":"https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb","reference_id":"bwmd17fcvljt9q4cgctp4v09zh3qs7fb","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-12T15:27:53Z/"}],"url":"https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb"},{"reference_url":"https://github.com/advisories/GHSA-787v-v9vq-4rgv","reference_id":"GHSA-787v-v9vq-4rgv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-787v-v9vq-4rgv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372313?format=json","purl":"pkg:pypi/apache-superset@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-35bq-93h8-qufg"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-pvr6-v3ds-sqcr"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"},{"vulnerability":"VCID-zvzt-19xv-6ubd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0"}],"aliases":["CVE-2024-55633","GHSA-787v-v9vq-4rgv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1gqt-cpea-b7ht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121409?format=json","vulnerability_id":"VCID-2bqf-unav-tbfs","summary":"Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55675","reference_id":"","reference_type":"","scores":[{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.49046","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.49033","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48892","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.49028","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55675"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55675","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55675"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/08/14/6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/08/14/6"},{"reference_url":"https://github.com/advisories/GHSA-mhpq-m962-mg92","reference_id":"GHSA-mhpq-m962-mg92","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mhpq-m962-mg92"},{"reference_url":"https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33","reference_id":"op681b4kbd7g84tfjf9omz0sxggbcv33","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:47:53Z/"}],"url":"https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377635?format=json","purl":"pkg:pypi/apache-superset@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0"}],"aliases":["CVE-2025-55675","GHSA-mhpq-m962-mg92"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2bqf-unav-tbfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66962?format=json","vulnerability_id":"VCID-35bq-93h8-qufg","summary":"Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23969","reference_id":"","reference_type":"","scores":[{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21453","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21624","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.21637","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00069","scoring_system":"epss","scoring_elements":"0.2165","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23969"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/24/4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/24/4"},{"reference_url":"https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd","reference_id":"2q22sp4oj3krcgdkxchhtht0vgwp2wnd","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:03:24Z/"}],"url":"https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23969","reference_id":"CVE-2026-23969","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23969"},{"reference_url":"https://github.com/advisories/GHSA-48m2-v2r8-h23m","reference_id":"GHSA-48m2-v2r8-h23m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-48m2-v2r8-h23m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39576?format=json","purl":"pkg:pypi/apache-superset@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2"}],"aliases":["CVE-2026-23969","GHSA-48m2-v2r8-h23m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-35bq-93h8-qufg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66895?format=json","vulnerability_id":"VCID-8bqq-wrc2-b3de","summary":"An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23982","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13535","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13512","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13418","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13539","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23982"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/24/6","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/24/6"},{"reference_url":"https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp","reference_id":"9lvbzwkw4rxgdvbpfvnnnfcll92v75fp","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:44:20Z/"}],"url":"https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23982","reference_id":"CVE-2026-23982","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23982"},{"reference_url":"https://github.com/advisories/GHSA-3m2g-v7jf-7fxc","reference_id":"GHSA-3m2g-v7jf-7fxc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3m2g-v7jf-7fxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39575?format=json","purl":"pkg:pypi/apache-superset@6.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0"}],"aliases":["CVE-2026-23982","GHSA-3m2g-v7jf-7fxc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8bqq-wrc2-b3de"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44343?format=json","vulnerability_id":"VCID-czv8-b1v4-s3gv","summary":"Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.\n\n issue affects Apache Superset: from 2.0.0 before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53949","reference_id":"","reference_type":"","scores":[{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56828","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56703","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56838","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56824","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53949"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53949","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53949"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/12/09/4","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/12/09/4"},{"reference_url":"https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d","reference_id":"d3scbwmfpzbpm6npnzdw5y4owtqqyq8d","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-09T15:01:51Z/"}],"url":"https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d"},{"reference_url":"https://github.com/advisories/GHSA-35fc-9hrj-3585","reference_id":"GHSA-35fc-9hrj-3585","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-35fc-9hrj-3585"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372313?format=json","purl":"pkg:pypi/apache-superset@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-35bq-93h8-qufg"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-pvr6-v3ds-sqcr"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"},{"vulnerability":"VCID-zvzt-19xv-6ubd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0"}],"aliases":["CVE-2024-53949","GHSA-35fc-9hrj-3585"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-czv8-b1v4-s3gv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121655?format=json","vulnerability_id":"VCID-djyw-btmk-tyc1","summary":"When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.\n\nThis issue affects Apache Superset: before 4.1.3.\n\nUsers are recommended to upgrade to version 4.1.3, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55673","reference_id":"","reference_type":"","scores":[{"value":"0.00881","scoring_system":"epss","scoring_elements":"0.75893","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00881","scoring_system":"epss","scoring_elements":"0.75887","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00881","scoring_system":"epss","scoring_elements":"0.75808","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00881","scoring_system":"epss","scoring_elements":"0.75879","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55673"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55673","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55673"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/08/14/3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/08/14/3"},{"reference_url":"https://github.com/advisories/GHSA-9g5x-mm39-wg9r","reference_id":"GHSA-9g5x-mm39-wg9r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9g5x-mm39-wg9r"},{"reference_url":"https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8","reference_id":"h2hw756wk4sj4z49blvzkr5fntl9hlf8","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T14:02:38Z/"}],"url":"https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377620?format=json","purl":"pkg:pypi/apache-superset@4.1.3.post1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.3.post1"}],"aliases":["CVE-2025-55673","GHSA-9g5x-mm39-wg9r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-djyw-btmk-tyc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46704?format=json","vulnerability_id":"VCID-f3cr-98hh-qygb","summary":"An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.\n\nThis issue affects Apache Superset: before 4.0.2.\n\nUsers are recommended to upgrade to version 4.0.2, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39887","reference_id":"","reference_type":"","scores":[{"value":"0.61396","scoring_system":"epss","scoring_elements":"0.98352","published_at":"2026-06-11T12:55:00Z"},{"value":"0.61396","scoring_system":"epss","scoring_elements":"0.98359","published_at":"2026-06-13T12:55:00Z"},{"value":"0.61396","scoring_system":"epss","scoring_elements":"0.98358","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39887"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/07/16/5","reference_id":"5","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/07/16/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39887","reference_id":"CVE-2024-39887","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39887"},{"reference_url":"https://github.com/advisories/GHSA-2q6j-vpvr-6pvj","reference_id":"GHSA-2q6j-vpvr-6pvj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2q6j-vpvr-6pvj"},{"reference_url":"https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz","reference_id":"j55vm41jg3l0x6w49zrmvbf3k0ts5fqz","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/"}],"url":"https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32665?format=json","purl":"pkg:pypi/apache-superset@4.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1gqt-cpea-b7ht"},{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-35bq-93h8-qufg"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-czv8-b1v4-s3gv"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-mwbp-vuvw-mua1"},{"vulnerability":"VCID-pvr6-v3ds-sqcr"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"},{"vulnerability":"VCID-xsmf-gtwu-1kae"},{"vulnerability":"VCID-zvzt-19xv-6ubd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2"}],"aliases":["CVE-2024-39887","GHSA-2q6j-vpvr-6pvj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f3cr-98hh-qygb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121675?format=json","vulnerability_id":"VCID-mjty-hv8c-mbck","summary":"A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55674","reference_id":"","reference_type":"","scores":[{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.5972","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.5971","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59599","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00376","scoring_system":"epss","scoring_elements":"0.59708","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55674"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55674","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55674"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/08/14/5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/08/14/5"},{"reference_url":"https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo","reference_id":"cn49ps15ny3g2b1qzdg5mj7hp47p5jdo","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:49:40Z/"}],"url":"https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo"},{"reference_url":"https://github.com/advisories/GHSA-fxgf-3xh6-m2pp","reference_id":"GHSA-fxgf-3xh6-m2pp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxgf-3xh6-m2pp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377635?format=json","purl":"pkg:pypi/apache-superset@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0"}],"aliases":["CVE-2025-55674","GHSA-fxgf-3xh6-m2pp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mjty-hv8c-mbck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44491?format=json","vulnerability_id":"VCID-mwbp-vuvw-mua1","summary":"Generation of Error Message Containing analytics metadata Information in Apache Superset.\n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53948","reference_id":"","reference_type":"","scores":[{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.3865","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38466","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38661","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00172","scoring_system":"epss","scoring_elements":"0.38639","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53948"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53948","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53948"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/12/09/3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/12/09/3"},{"reference_url":"https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf","reference_id":"8howpf3png0wrgpls46ggk441oczlfvf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:04:23Z/"}],"url":"https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf"},{"reference_url":"https://github.com/advisories/GHSA-2cx9-54hp-r698","reference_id":"GHSA-2cx9-54hp-r698","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2cx9-54hp-r698"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372313?format=json","purl":"pkg:pypi/apache-superset@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-35bq-93h8-qufg"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-pvr6-v3ds-sqcr"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"},{"vulnerability":"VCID-zvzt-19xv-6ubd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0"}],"aliases":["CVE-2024-53948","GHSA-2cx9-54hp-r698"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mwbp-vuvw-mua1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/118233?format=json","vulnerability_id":"VCID-pvr6-v3ds-sqcr","summary":"An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48912","reference_id":"","reference_type":"","scores":[{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56887","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56876","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56751","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56872","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-48912"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48912","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48912"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/05/30/3","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/05/30/3"},{"reference_url":"https://github.com/advisories/GHSA-8w7f-8pr9-xgwj","reference_id":"GHSA-8w7f-8pr9-xgwj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8w7f-8pr9-xgwj"},{"reference_url":"https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135","reference_id":"ms2t2oq218hb7l628trsogo4fj7h1135","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:55:47Z/"}],"url":"https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39576?format=json","purl":"pkg:pypi/apache-superset@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2"}],"aliases":["CVE-2025-48912","GHSA-8w7f-8pr9-xgwj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pvr6-v3ds-sqcr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66654?format=json","vulnerability_id":"VCID-tvfr-mp56-b7f4","summary":"Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23980","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12784","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.1287","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12879","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12889","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23980"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/24/5","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/24/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23980","reference_id":"CVE-2026-23980","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23980"},{"reference_url":"https://github.com/advisories/GHSA-gvxg-9hqx-f4rg","reference_id":"GHSA-gvxg-9hqx-f4rg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gvxg-9hqx-f4rg"},{"reference_url":"https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4","reference_id":"h4l02zw1pr2vywv0dc5zjn3grdcdhwf4","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:05:27Z/"}],"url":"https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39575?format=json","purl":"pkg:pypi/apache-superset@6.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0"}],"aliases":["CVE-2026-23980","GHSA-gvxg-9hqx-f4rg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tvfr-mp56-b7f4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66947?format=json","vulnerability_id":"VCID-ubwg-81j2-8yhd","summary":"An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.\nWhile the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23984","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12856","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12943","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12952","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12963","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23984"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/24/8","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/24/8"},{"reference_url":"https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26","reference_id":"72cmgxtvp9pclto4ln1chbs1227nwd26","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:51:19Z/"}],"url":"https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23984","reference_id":"CVE-2026-23984","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23984"},{"reference_url":"https://github.com/advisories/GHSA-mwf2-qr4v-94h2","reference_id":"GHSA-mwf2-qr4v-94h2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mwf2-qr4v-94h2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39575?format=json","purl":"pkg:pypi/apache-superset@6.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0"}],"aliases":["CVE-2026-23984","GHSA-mwf2-qr4v-94h2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ubwg-81j2-8yhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66960?format=json","vulnerability_id":"VCID-us7y-vvzr-2fea","summary":"A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.\nWhen these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data \n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23983","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17696","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17688","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17536","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17713","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-23983"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/02/24/7","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/02/24/7"},{"reference_url":"https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww","reference_id":"62mgbc5hc8026skp69kb6vqozj3pr5ww","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:46:54Z/"}],"url":"https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23983","reference_id":"CVE-2026-23983","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23983"},{"reference_url":"https://github.com/advisories/GHSA-h294-8fxm-m2pj","reference_id":"GHSA-h294-8fxm-m2pj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h294-8fxm-m2pj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39575?format=json","purl":"pkg:pypi/apache-superset@6.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0"}],"aliases":["CVE-2026-23983","GHSA-h294-8fxm-m2pj"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-us7y-vvzr-2fea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121536?format=json","vulnerability_id":"VCID-v735-muyq-h7hr","summary":"A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55672","reference_id":"","reference_type":"","scores":[{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44475","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44316","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44469","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.44488","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55672"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55672","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55672"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/08/14/4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/08/14/4"},{"reference_url":"https://github.com/advisories/GHSA-fj97-2v9x-w5m4","reference_id":"GHSA-fj97-2v9x-w5m4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fj97-2v9x-w5m4"},{"reference_url":"https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj","reference_id":"rvh7fdjfzxzjhcfwoz7twc2brhvochdj","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:52:16Z/"}],"url":"https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377635?format=json","purl":"pkg:pypi/apache-superset@5.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0"}],"aliases":["CVE-2025-55672","GHSA-fj97-2v9x-w5m4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v735-muyq-h7hr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44744?format=json","vulnerability_id":"VCID-xsmf-gtwu-1kae","summary":"Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.\n\nThis issue affects Apache Superset: <4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53947","reference_id":"","reference_type":"","scores":[{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61214","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61219","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61108","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61223","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53947"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53947","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53947"},{"reference_url":"https://github.com/advisories/GHSA-92qf-8gh3-gwcm","reference_id":"GHSA-92qf-8gh3-gwcm","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-92qf-8gh3-gwcm"},{"reference_url":"https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn","reference_id":"hj3gfsjh67vqw12nlrshlsym4bkopjmn","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:05:04Z/"}],"url":"https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372313?format=json","purl":"pkg:pypi/apache-superset@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-35bq-93h8-qufg"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-pvr6-v3ds-sqcr"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"},{"vulnerability":"VCID-zvzt-19xv-6ubd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0"}],"aliases":["CVE-2024-53947","GHSA-92qf-8gh3-gwcm"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xsmf-gtwu-1kae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/116858?format=json","vulnerability_id":"VCID-zvzt-19xv-6ubd","summary":"Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.\n\nThis issue affects Apache Superset: through 4.1.1.\n\nUsers are recommended to upgrade to version 4.1.2 or above, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27696","reference_id":"","reference_type":"","scores":[{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23681","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23671","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.23484","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00079","scoring_system":"epss","scoring_elements":"0.2369","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27696"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27696","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27696"},{"reference_url":"http://www.openwall.com/lists/oss-security/2025/05/12/3","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2025/05/12/3"},{"reference_url":"https://github.com/advisories/GHSA-w6c7-j32f-rq8j","reference_id":"GHSA-w6c7-j32f-rq8j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w6c7-j32f-rq8j"},{"reference_url":"https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413","reference_id":"k2od03bxnxs6vcp80sr03ywcxl194413","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T13:15:33Z/"}],"url":"https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39576?format=json","purl":"pkg:pypi/apache-superset@4.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2"}],"aliases":["CVE-2025-27696","GHSA-w6c7-j32f-rq8j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zvzt-19xv-6ubd"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49457?format=json","vulnerability_id":"VCID-vafu-fk53-6yd4","summary":"Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0\n\nUsers are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34693","reference_id":"","reference_type":"","scores":[{"value":"0.12622","scoring_system":"epss","scoring_elements":"0.94122","published_at":"2026-06-11T12:55:00Z"},{"value":"0.12622","scoring_system":"epss","scoring_elements":"0.9415","published_at":"2026-06-14T12:55:00Z"},{"value":"0.12622","scoring_system":"epss","scoring_elements":"0.94148","published_at":"2026-06-13T12:55:00Z"},{"value":"0.12622","scoring_system":"epss","scoring_elements":"0.94143","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34693"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/06/20/1","reference_id":"1","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T12:55:23Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/06/20/1"},{"reference_url":"https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon","reference_id":"1803x1s34m7r71h1k0q1njol8k6fmyon","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T12:55:23Z/"}],"url":"https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34693","reference_id":"CVE-2024-34693","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34693"},{"reference_url":"https://github.com/advisories/GHSA-hcr7-cqwc-q5gq","reference_id":"GHSA-hcr7-cqwc-q5gq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hcr7-cqwc-q5gq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32255?format=json","purl":"pkg:pypi/apache-superset@3.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1gqt-cpea-b7ht"},{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-35bq-93h8-qufg"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-czv8-b1v4-s3gv"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-f3cr-98hh-qygb"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-mwbp-vuvw-mua1"},{"vulnerability":"VCID-pvr6-v3ds-sqcr"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"},{"vulnerability":"VCID-xsmf-gtwu-1kae"},{"vulnerability":"VCID-zvzt-19xv-6ubd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/32254?format=json","purl":"pkg:pypi/apache-superset@4.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1gqt-cpea-b7ht"},{"vulnerability":"VCID-2bqf-unav-tbfs"},{"vulnerability":"VCID-35bq-93h8-qufg"},{"vulnerability":"VCID-8bqq-wrc2-b3de"},{"vulnerability":"VCID-czv8-b1v4-s3gv"},{"vulnerability":"VCID-djyw-btmk-tyc1"},{"vulnerability":"VCID-f3cr-98hh-qygb"},{"vulnerability":"VCID-mjty-hv8c-mbck"},{"vulnerability":"VCID-mwbp-vuvw-mua1"},{"vulnerability":"VCID-pvr6-v3ds-sqcr"},{"vulnerability":"VCID-tvfr-mp56-b7f4"},{"vulnerability":"VCID-ubwg-81j2-8yhd"},{"vulnerability":"VCID-us7y-vvzr-2fea"},{"vulnerability":"VCID-v735-muyq-h7hr"},{"vulnerability":"VCID-xsmf-gtwu-1kae"},{"vulnerability":"VCID-zvzt-19xv-6ubd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.1"}],"aliases":["CVE-2024-34693","GHSA-hcr7-cqwc-q5gq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vafu-fk53-6yd4"}],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@3.1.3"}