{"url":"http://public2.vulnerablecode.io/api/packages/52625?format=json","purl":"pkg:pypi/superset@0.18.4","type":"pypi","namespace":"","name":"superset","version":"0.18.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.1.2","latest_non_vulnerable_version":"2.1.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207662?format=json","vulnerability_id":"VCID-2npv-nu15-6uee","summary":"Insufficiently Protected Credentials in Apache Superset","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44451","reference_id":"","reference_type":"","scores":[{"value":"0.8336","scoring_system":"epss","scoring_elements":"0.99291","published_at":"2026-06-11T12:55:00Z"},{"value":"0.8336","scoring_system":"epss","scoring_elements":"0.99294","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-44451"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2022-36.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2022-36.yaml"},{"reference_url":"https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/xww1pccs2ckb5506wrf1v4lmxg198vkb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44451","reference_id":"CVE-2021-44451","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44451"},{"reference_url":"https://github.com/advisories/GHSA-hhm3-48h2-597v","reference_id":"GHSA-hhm3-48h2-597v","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhm3-48h2-597v"}],"fixed_packages":[],"aliases":["BIT-superset-2021-44451","CVE-2021-44451","GHSA-hhm3-48h2-597v","PYSEC-2022-36"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2npv-nu15-6uee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145702?format=json","vulnerability_id":"VCID-3aw6-59a3-eba8","summary":"Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27523","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22235","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22044","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27523"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27523","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27523"},{"reference_url":"https://lists.apache.org/thread/3y97nmwm956b6zg3l8dh9oj0w7dj945h","reference_id":"3y97nmwm956b6zg3l8dh9oj0w7dj945h","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T14:49:47Z/"}],"url":"https://lists.apache.org/thread/3y97nmwm956b6zg3l8dh9oj0w7dj945h"},{"reference_url":"https://github.com/advisories/GHSA-v594-2c97-hx38","reference_id":"GHSA-v594-2c97-hx38","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v594-2c97-hx38"}],"fixed_packages":[],"aliases":["CVE-2023-27523","GHSA-v594-2c97-hx38"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3aw6-59a3-eba8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211001?format=json","vulnerability_id":"VCID-3q94-rkzw-q7bb","summary":"Apache Superset allows authenticated users to access metadata they have no permission to","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37839","reference_id":"","reference_type":"","scores":[{"value":"0.00345","scoring_system":"epss","scoring_elements":"0.57548","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00345","scoring_system":"epss","scoring_elements":"0.57431","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37839"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/2bd89d1705347da5446902a3f65eb8d0a6353503","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/2bd89d1705347da5446902a3f65eb8d0a6353503"},{"reference_url":"https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/pwqyxxmn5gh7cnw3qsp66v0lt4xojt82"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37839","reference_id":"CVE-2021-37839","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37839"},{"reference_url":"https://github.com/advisories/GHSA-748r-5r8q-273m","reference_id":"GHSA-748r-5r8q-273m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-748r-5r8q-273m"}],"fixed_packages":[],"aliases":["CVE-2021-37839","GHSA-748r-5r8q-273m"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3q94-rkzw-q7bb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/165630?format=json","vulnerability_id":"VCID-3sh2-fv5f-jkh5","summary":"When explicitly enabling the feature flag DASHBOARD_CACHE (disabled by default), the system allowed for an unauthenticated user to access dashboard configuration metadata using a REST API Get endpoint. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-45438","reference_id":"","reference_type":"","scores":[{"value":"0.02695","scoring_system":"epss","scoring_elements":"0.86249","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0324","scoring_system":"epss","scoring_elements":"0.87393","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-45438"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45438","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45438"},{"reference_url":"https://github.com/advisories/GHSA-8f5j-mgx9-5hm5","reference_id":"GHSA-8f5j-mgx9-5hm5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8f5j-mgx9-5hm5"},{"reference_url":"https://lists.apache.org/thread/snxbkf2x9kww7s0wkmydct9nhqqn9rv9","reference_id":"snxbkf2x9kww7s0wkmydct9nhqqn9rv9","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T14:59:07Z/"}],"url":"https://lists.apache.org/thread/snxbkf2x9kww7s0wkmydct9nhqqn9rv9"}],"fixed_packages":[],"aliases":["CVE-2022-45438","GHSA-8f5j-mgx9-5hm5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3sh2-fv5f-jkh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208797?format=json","vulnerability_id":"VCID-46y8-wuk7-hfad","summary":"SQL injection in apache-superset","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-27479","reference_id":"","reference_type":"","scores":[{"value":"0.04329","scoring_system":"epss","scoring_elements":"0.89154","published_at":"2026-06-11T12:55:00Z"},{"value":"0.04329","scoring_system":"epss","scoring_elements":"0.89192","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-27479"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2022-188.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2022-188.yaml"},{"reference_url":"https://lists.apache.org/thread/94th50j5d0y2fw7ysx0g7w3t6jk3z7q6","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/94th50j5d0y2fw7ysx0g7w3t6jk3z7q6"},{"reference_url":"https://lists.apache.org/thread/ztb9b6jd9rngoxwvq8r4fhpp401o613y","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/ztb9b6jd9rngoxwvq8r4fhpp401o613y"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/04/13/3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2022/04/13/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27479","reference_id":"CVE-2022-27479","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-27479"},{"reference_url":"https://github.com/advisories/GHSA-wh73-hpcg-v32j","reference_id":"GHSA-wh73-hpcg-v32j","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wh73-hpcg-v32j"}],"fixed_packages":[],"aliases":["BIT-superset-2022-27479","CVE-2022-27479","GHSA-wh73-hpcg-v32j","PYSEC-2022-188"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-46y8-wuk7-hfad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/356675?format=json","vulnerability_id":"VCID-4axb-e4nm-3fcy","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42502","reference_id":"","reference_type":"","scores":[{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.27068","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00099","scoring_system":"epss","scoring_elements":"0.27271","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42502"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/n8348f194d8o8mln3oxd0s8jdl5bxbmn"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42502","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42502"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/28/3","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/11/28/3"},{"reference_url":"https://github.com/advisories/GHSA-hc74-9vjm-c9xv","reference_id":"GHSA-hc74-9vjm-c9xv","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hc74-9vjm-c9xv"}],"fixed_packages":[],"aliases":["CVE-2023-42502","GHSA-hc74-9vjm-c9xv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4axb-e4nm-3fcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210567?format=json","vulnerability_id":"VCID-4zgy-r2br-37hy","summary":"Apache Superset allowed for database connections password leak for authenticated users","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41972","reference_id":"","reference_type":"","scores":[{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46445","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.4659","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-41972"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-434.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-434.yaml"},{"reference_url":"https://lists.apache.org/thread/xpdl2r538o695o7r9gd9qrwqb17bdd3v","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/xpdl2r538o695o7r9gd9qrwqb17bdd3v"},{"reference_url":"https://seclists.org/oss-sec/2021/q4/106","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/oss-sec/2021/q4/106"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41972","reference_id":"CVE-2021-41972","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41972"},{"reference_url":"https://github.com/advisories/GHSA-42q4-9xf9-f67x","reference_id":"GHSA-42q4-9xf9-f67x","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-42q4-9xf9-f67x"}],"fixed_packages":[],"aliases":["BIT-superset-2021-41972","CVE-2021-41972","GHSA-42q4-9xf9-f67x","PYSEC-2021-434"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4zgy-r2br-37hy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136369?format=json","vulnerability_id":"VCID-58d5-z1y6-qffj","summary":"An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36387","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06585","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06608","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36387"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36387","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36387"},{"reference_url":"https://github.com/apache/superset/pull/24185","reference_id":"24185","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:00:10Z/"}],"url":"https://github.com/apache/superset/pull/24185"},{"reference_url":"https://github.com/advisories/GHSA-9832-mgg4-3gr6","reference_id":"GHSA-9832-mgg4-3gr6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9832-mgg4-3gr6"},{"reference_url":"https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3","reference_id":"tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T18:00:10Z/"}],"url":"https://lists.apache.org/thread/tt6s6hm8nv6s11z8bfsk3r3d9ov0ogw3"}],"fixed_packages":[],"aliases":["CVE-2023-36387","GHSA-9832-mgg4-3gr6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-58d5-z1y6-qffj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145501?format=json","vulnerability_id":"VCID-5m3g-6uya-1fe3","summary":"A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27526","reference_id":"","reference_type":"","scores":[{"value":"0.00126","scoring_system":"epss","scoring_elements":"0.3161","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00126","scoring_system":"epss","scoring_elements":"0.31418","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27526"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27526","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27526"},{"reference_url":"https://github.com/advisories/GHSA-9qc3-p9jq-2x27","reference_id":"GHSA-9qc3-p9jq-2x27","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9qc3-p9jq-2x27"},{"reference_url":"https://lists.apache.org/thread/ndww89yl2jd98lvn23n9cj722lfdg8dv","reference_id":"ndww89yl2jd98lvn23n9cj722lfdg8dv","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T14:50:41Z/"}],"url":"https://lists.apache.org/thread/ndww89yl2jd98lvn23n9cj722lfdg8dv"}],"fixed_packages":[],"aliases":["CVE-2023-27526","GHSA-9qc3-p9jq-2x27"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5m3g-6uya-1fe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/136294?format=json","vulnerability_id":"VCID-6brk-rjs7-67he","summary":"Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36388","reference_id":"","reference_type":"","scores":[{"value":"0.00133","scoring_system":"epss","scoring_elements":"0.32642","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00133","scoring_system":"epss","scoring_elements":"0.32461","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-36388"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36388","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36388"},{"reference_url":"https://lists.apache.org/thread/ccmjjz4jp17yc2kcd18qshmdtf7qorfs","reference_id":"ccmjjz4jp17yc2kcd18qshmdtf7qorfs","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T14:50:04Z/"}],"url":"https://lists.apache.org/thread/ccmjjz4jp17yc2kcd18qshmdtf7qorfs"},{"reference_url":"https://github.com/advisories/GHSA-4fg9-5w46-xmrj","reference_id":"GHSA-4fg9-5w46-xmrj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4fg9-5w46-xmrj"}],"fixed_packages":[],"aliases":["CVE-2023-36388","GHSA-4fg9-5w46-xmrj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6brk-rjs7-67he"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210574?format=json","vulnerability_id":"VCID-7zqa-ny6m-kqfw","summary":"Improper Encoding or Escaping of Output in Apache Superset","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42250","reference_id":"","reference_type":"","scores":[{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61551","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61654","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-42250"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-435.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-435.yaml"},{"reference_url":"https://lists.apache.org/thread/53lkszw6d3tybp5t99nvgcj538b9trw9","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/53lkszw6d3tybp5t99nvgcj538b9trw9"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/11/17/2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/11/17/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42250","reference_id":"CVE-2021-42250","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42250"},{"reference_url":"https://github.com/advisories/GHSA-5fp8-c45m-256p","reference_id":"GHSA-5fp8-c45m-256p","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5fp8-c45m-256p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/391920?format=json","purl":"pkg:pypi/superset@1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2npv-nu15-6uee"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@1.3.2"}],"aliases":["BIT-superset-2021-42250","CVE-2021-42250","GHSA-5fp8-c45m-256p","PYSEC-2021-435"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7zqa-ny6m-kqfw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/356676?format=json","vulnerability_id":"VCID-98eq-5ynn-2ba5","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42505","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13258","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13364","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42505"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://lists.apache.org/thread/bd0fhtfzrtgo1q8x35tpm8ms144d1t2y","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/bd0fhtfzrtgo1q8x35tpm8ms144d1t2y"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42505","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42505"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/28/5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/11/28/5"},{"reference_url":"https://github.com/advisories/GHSA-fgpw-4w69-j256","reference_id":"GHSA-fgpw-4w69-j256","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fgpw-4w69-j256"}],"fixed_packages":[],"aliases":["CVE-2023-42505","GHSA-fgpw-4w69-j256"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-98eq-5ynn-2ba5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/139370?format=json","vulnerability_id":"VCID-9wan-6z96-uudu","summary":"Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39265","reference_id":"","reference_type":"","scores":[{"value":"0.72085","scoring_system":"epss","scoring_elements":"0.9877","published_at":"2026-06-11T12:55:00Z"},{"value":"0.72085","scoring_system":"epss","scoring_elements":"0.98775","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39265"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39265","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39265"},{"reference_url":"http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html","reference_id":"Apache-Superset-2.0.0-Remote-Code-Execution.html","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T18:48:12Z/"}],"url":"http://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html"},{"reference_url":"https://github.com/advisories/GHSA-fm4q-j8g4-c9j4","reference_id":"GHSA-fm4q-j8g4-c9j4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fm4q-j8g4-c9j4"},{"reference_url":"https://lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy","reference_id":"pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-27T18:48:12Z/"}],"url":"https://lists.apache.org/thread/pwdzsdmv4g5g1n2h9m7ortfnxmhr7nfy"}],"fixed_packages":[],"aliases":["CVE-2023-39265","GHSA-fm4q-j8g4-c9j4"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9wan-6z96-uudu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163127?format=json","vulnerability_id":"VCID-au4r-bwjy-rbdw","summary":"Dashboard rendering does not sufficiently sanitize the content of markdown components leading to possible XSS attack vectors that can be performed by authenticated users with create dashboard permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43717","reference_id":"","reference_type":"","scores":[{"value":"0.01349","scoring_system":"epss","scoring_elements":"0.805","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01497","scoring_system":"epss","scoring_elements":"0.81575","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43717"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43717","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43717"},{"reference_url":"https://lists.apache.org/thread/g6zy6vkpvkbj5mj32vmyzwol5ldtg9pl","reference_id":"g6zy6vkpvkbj5mj32vmyzwol5ldtg9pl","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-04T13:51:44Z/"}],"url":"https://lists.apache.org/thread/g6zy6vkpvkbj5mj32vmyzwol5ldtg9pl"},{"reference_url":"https://github.com/advisories/GHSA-9f88-wg5r-947j","reference_id":"GHSA-9f88-wg5r-947j","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9f88-wg5r-947j"}],"fixed_packages":[],"aliases":["CVE-2022-43717","GHSA-9f88-wg5r-947j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-au4r-bwjy-rbdw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218039?format=json","vulnerability_id":"VCID-autt-zyf9-1uhd","summary":"In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated fields including the contents of query description metadata database, the hashed version of the authenticated users’ password, and access to connection information including the plaintext password for the current connection. It would also be possible to run arbitrary methods on the database connection object for the Presto or Hive connection, allowing the user to bypass security controls internal to Superset. This vulnerability is present in every Apache Superset version < 0.37.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13952","reference_id":"","reference_type":"","scores":[{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.30914","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00122","scoring_system":"epss","scoring_elements":"0.3111","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13952"},{"reference_url":"https://github.com/advisories/GHSA-77pw-c3j2-5fc8","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-77pw-c3j2-5fc8"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2020-223.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2020-223.yaml"},{"reference_url":"https://lists.apache.org/thread.html/rf1faa368f580d2cb691576bee1277855f769667f3114d5df1dacbea6%40%3Cdev.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf1faa368f580d2cb691576bee1277855f769667f3114d5df1dacbea6%40%3Cdev.superset.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13952","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13952"}],"fixed_packages":[],"aliases":["BIT-superset-2020-13952","CVE-2020-13952","GHSA-77pw-c3j2-5fc8","PYSEC-2020-223"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-autt-zyf9-1uhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/135602?format=json","vulnerability_id":"VCID-c1du-my8w-3kc4","summary":"An authenticated malicious user could initiate multiple concurrent requests, each requesting multiple dashboard exports, leading to a possible denial of service.\n\nThis issue affects Apache Superset: before 3.0.0","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42504","reference_id":"","reference_type":"","scores":[{"value":"0.0029","scoring_system":"epss","scoring_elements":"0.52909","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0029","scoring_system":"epss","scoring_elements":"0.52781","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42504"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42504","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42504"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/28/6","reference_id":"6","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-20T18:13:10Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/11/28/6"},{"reference_url":"https://github.com/advisories/GHSA-3hp7-4qq4-v5c6","reference_id":"GHSA-3hp7-4qq4-v5c6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3hp7-4qq4-v5c6"},{"reference_url":"https://lists.apache.org/thread/yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6l","reference_id":"yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6l","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-20T18:13:10Z/"}],"url":"https://lists.apache.org/thread/yzq5gk1y9lyw6nxwd3xdkxg1djqw1h6l"}],"fixed_packages":[],"aliases":["CVE-2023-42504","GHSA-3hp7-4qq4-v5c6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c1du-my8w-3kc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163340?format=json","vulnerability_id":"VCID-cmt6-zps1-1yaa","summary":"An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43720","reference_id":"","reference_type":"","scores":[{"value":"0.01468","scoring_system":"epss","scoring_elements":"0.81383","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01787","scoring_system":"epss","scoring_elements":"0.83145","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43720"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43720","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43720"},{"reference_url":"https://github.com/advisories/GHSA-fpmr-qmgh-42x2","reference_id":"GHSA-fpmr-qmgh-42x2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fpmr-qmgh-42x2"},{"reference_url":"https://lists.apache.org/thread/jts6x56kghr9mbowb653bk70pl81jp8l","reference_id":"jts6x56kghr9mbowb653bk70pl81jp8l","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T15:02:39Z/"}],"url":"https://lists.apache.org/thread/jts6x56kghr9mbowb653bk70pl81jp8l"}],"fixed_packages":[],"aliases":["CVE-2022-43720","GHSA-fpmr-qmgh-42x2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cmt6-zps1-1yaa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145979?format=json","vulnerability_id":"VCID-ew1h-9gne-ckda","summary":"An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27525","reference_id":"","reference_type":"","scores":[{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67893","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67804","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27525"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27525","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27525"},{"reference_url":"https://github.com/advisories/GHSA-7jhg-8m74-6f6g","reference_id":"GHSA-7jhg-8m74-6f6g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jhg-8m74-6f6g"},{"reference_url":"https://lists.apache.org/thread/wpv7b17zjg2pmvpfkdd6nn8sco8y2q77","reference_id":"wpv7b17zjg2pmvpfkdd6nn8sco8y2q77","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T16:03:40Z/"}],"url":"https://lists.apache.org/thread/wpv7b17zjg2pmvpfkdd6nn8sco8y2q77"}],"fixed_packages":[],"aliases":["CVE-2023-27525","GHSA-7jhg-8m74-6f6g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ew1h-9gne-ckda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202504?format=json","vulnerability_id":"VCID-fevm-q2v2-gkb4","summary":"Deserialization of Untrusted Data in superset","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-8021","reference_id":"","reference_type":"","scores":[{"value":"0.6434","scoring_system":"epss","scoring_elements":"0.98467","published_at":"2026-06-11T12:55:00Z"},{"value":"0.6434","scoring_system":"epss","scoring_elements":"0.98473","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-8021"},{"reference_url":"https://github.com/apache/incubator-superset/pull/4243","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/incubator-superset/pull/4243"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/2c72a7ae4fc0a8bac1f037a79efa90e1c5549710","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/2c72a7ae4fc0a8bac1f037a79efa90e1c5549710"},{"reference_url":"https://github.com/apache/superset/pull/4243","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/pull/4243"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/superset/PYSEC-2018-74.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/superset/PYSEC-2018-74.yaml"},{"reference_url":"https://www.exploit-db.com/exploits/45933","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/45933"},{"reference_url":"https://www.exploit-db.com/exploits/45933/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/45933/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/webapps/45933.py","reference_id":"CVE-2018-8021","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/webapps/45933.py"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8021","reference_id":"CVE-2018-8021","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-8021"},{"reference_url":"https://github.com/advisories/GHSA-vxp9-wv2f-wqmw","reference_id":"GHSA-vxp9-wv2f-wqmw","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vxp9-wv2f-wqmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/14445?format=json","purl":"pkg:pypi/superset@0.23","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@0.23"},{"url":"http://public2.vulnerablecode.io/api/packages/52641?format=json","purl":"pkg:pypi/superset@0.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2npv-nu15-6uee"},{"vulnerability":"VCID-3aw6-59a3-eba8"},{"vulnerability":"VCID-3q94-rkzw-q7bb"},{"vulnerability":"VCID-3sh2-fv5f-jkh5"},{"vulnerability":"VCID-46y8-wuk7-hfad"},{"vulnerability":"VCID-4axb-e4nm-3fcy"},{"vulnerability":"VCID-4zgy-r2br-37hy"},{"vulnerability":"VCID-58d5-z1y6-qffj"},{"vulnerability":"VCID-5m3g-6uya-1fe3"},{"vulnerability":"VCID-6brk-rjs7-67he"},{"vulnerability":"VCID-7zqa-ny6m-kqfw"},{"vulnerability":"VCID-98eq-5ynn-2ba5"},{"vulnerability":"VCID-9wan-6z96-uudu"},{"vulnerability":"VCID-au4r-bwjy-rbdw"},{"vulnerability":"VCID-autt-zyf9-1uhd"},{"vulnerability":"VCID-c1du-my8w-3kc4"},{"vulnerability":"VCID-cmt6-zps1-1yaa"},{"vulnerability":"VCID-ew1h-9gne-ckda"},{"vulnerability":"VCID-fuze-h6b7-p7ej"},{"vulnerability":"VCID-ggry-wydz-j3az"},{"vulnerability":"VCID-hb6y-7ujs-bfe9"},{"vulnerability":"VCID-meyp-4j5x-sfbt"},{"vulnerability":"VCID-n38n-w9e1-5ff6"},{"vulnerability":"VCID-q2f7-jq7w-vkc5"},{"vulnerability":"VCID-s7bz-64kr-9yfs"},{"vulnerability":"VCID-tf8b-bq3r-2fhc"},{"vulnerability":"VCID-u7nc-sr84-1qgy"},{"vulnerability":"VCID-uyy9-mrk5-fbhd"},{"vulnerability":"VCID-vt3x-87z4-zqf4"},{"vulnerability":"VCID-w4pb-uqe1-27cv"},{"vulnerability":"VCID-wgd2-ud3v-gkdw"},{"vulnerability":"VCID-xr3c-u3m4-tfeg"},{"vulnerability":"VCID-yyh5-z2zn-h7h7"},{"vulnerability":"VCID-yyqg-c3nw-nkdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@0.23.0"}],"aliases":["CVE-2018-8021","GHSA-vxp9-wv2f-wqmw","PYSEC-2018-74"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fevm-q2v2-gkb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/135563?format=json","vulnerability_id":"VCID-fuze-h6b7-p7ej","summary":"Unnecessary read permissions within the Gamma role would allow authenticated users to read configured CSS templates and annotations.\nThis issue affects Apache Superset: before 2.1.2.\nUsers should upgrade to version or above 2.1.2 and run `superset init` to reconstruct the Gamma role or remove `can_read` permission from the mentioned resources.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42501","reference_id":"","reference_type":"","scores":[{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27402","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00101","scoring_system":"epss","scoring_elements":"0.27605","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-42501"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42501","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42501"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/27/3","reference_id":"3","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T19:01:45Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/11/27/3"},{"reference_url":"https://github.com/advisories/GHSA-vv65-fjfj-4736","reference_id":"GHSA-vv65-fjfj-4736","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vv65-fjfj-4736"},{"reference_url":"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh","reference_id":"vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T19:01:45Z/"}],"url":"https://lists.apache.org/thread/vk1rmrh9kz0chjmc9tk7o3md6zpz4ygh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/394732?format=json","purl":"pkg:pypi/superset@2.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@2.1.2"}],"aliases":["CVE-2023-42501","GHSA-vv65-fjfj-4736"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fuze-h6b7-p7ej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/162997?format=json","vulnerability_id":"VCID-ggry-wydz-j3az","summary":"Upload data forms do not correctly render user input leading to possible XSS attack vectors that can be performed by authenticated users with database connection update permissions. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43718","reference_id":"","reference_type":"","scores":[{"value":"0.00448","scoring_system":"epss","scoring_elements":"0.64004","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00498","scoring_system":"epss","scoring_elements":"0.66434","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43718"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43718","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43718"},{"reference_url":"https://lists.apache.org/thread/8615608jt2x7b3rmqrtngldy8pn3nz2r","reference_id":"8615608jt2x7b3rmqrtngldy8pn3nz2r","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T15:05:57Z/"}],"url":"https://lists.apache.org/thread/8615608jt2x7b3rmqrtngldy8pn3nz2r"},{"reference_url":"https://github.com/advisories/GHSA-79x5-cv79-49rj","reference_id":"GHSA-79x5-cv79-49rj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-79x5-cv79-49rj"}],"fixed_packages":[],"aliases":["CVE-2022-43718","GHSA-79x5-cv79-49rj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ggry-wydz-j3az"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/172608?format=json","vulnerability_id":"VCID-hb6y-7ujs-bfe9","summary":"A vulnerability in the SQL Alchemy connector of Apache Superset allows an authenticated user with read access to a specific database to add subqueries to the WHERE and HAVING fields referencing tables on the same database that the user should not have access to, despite the user having the feature flag \"ALLOW_ADHOC_SUBQUERY\" disabled (default value).  This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41703","reference_id":"","reference_type":"","scores":[{"value":"0.01068","scoring_system":"epss","scoring_elements":"0.782","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01302","scoring_system":"epss","scoring_elements":"0.80169","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-41703"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41703","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41703"},{"reference_url":"https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos","reference_id":"g7jjw0okxjk5y57pbbxy19ydw42kqcos","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-08T20:32:13Z/"}],"url":"https://lists.apache.org/thread/g7jjw0okxjk5y57pbbxy19ydw42kqcos"},{"reference_url":"https://github.com/advisories/GHSA-cxvp-3frm-3876","reference_id":"GHSA-cxvp-3frm-3876","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxvp-3frm-3876"}],"fixed_packages":[],"aliases":["CVE-2022-41703","GHSA-cxvp-3frm-3876"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hb6y-7ujs-bfe9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/356796?format=json","vulnerability_id":"VCID-meyp-4j5x-sfbt","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-43701","reference_id":"","reference_type":"","scores":[{"value":"0.00237","scoring_system":"epss","scoring_elements":"0.47068","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00237","scoring_system":"epss","scoring_elements":"0.47209","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-43701"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/4dnr1knk50fw60jxkjgqj228f0xcc892"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43701","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43701"},{"reference_url":"https://www.openwall.com/lists/oss-security/2023/11/27/4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.openwall.com/lists/oss-security/2023/11/27/4"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/27/4","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/11/27/4"},{"reference_url":"https://github.com/advisories/GHSA-wq8q-99p5-xfrw","reference_id":"GHSA-wq8q-99p5-xfrw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq8q-99p5-xfrw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/394732?format=json","purl":"pkg:pypi/superset@2.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@2.1.2"}],"aliases":["CVE-2023-43701","GHSA-wq8q-99p5-xfrw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-meyp-4j5x-sfbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218133?format=json","vulnerability_id":"VCID-n38n-w9e1-5ff6","summary":"Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28125","reference_id":"","reference_type":"","scores":[{"value":"0.02577","scoring_system":"epss","scoring_elements":"0.85882","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02577","scoring_system":"epss","scoring_elements":"0.85931","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-28125"},{"reference_url":"https://github.com/advisories/GHSA-pfwg-rxf4-97c3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfwg-rxf4-97c3"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/eb35b804acf4d84cb70d02743e04b8afebbee029","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/eb35b804acf4d84cb70d02743e04b8afebbee029"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-128.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-128.yaml"},{"reference_url":"https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434@%3Cdev.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434@%3Cdev.superset.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434%40%3Cdev.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r89b5d0dd35c1adc9624b48d6247729c73b2641b32754226661368434%40%3Cdev.superset.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28125","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28125"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/04/27/2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/04/27/2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1153390?format=json","purl":"pkg:pypi/superset@1.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@1.1.0"}],"aliases":["BIT-superset-2021-28125","CVE-2021-28125","GHSA-pfwg-rxf4-97c3","PYSEC-2021-128"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n38n-w9e1-5ff6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/133132?format=json","vulnerability_id":"VCID-q2f7-jq7w-vkc5","summary":"A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.\n\nFor 2.X versions, users should change their config to include:\n\nTALISMAN_CONFIG = {\n    \"content_security_policy\": {\n        \"base-uri\": [\"'self'\"],\n        \"default-src\": [\"'self'\"],\n        \"img-src\": [\"'self'\", \"blob:\", \"data:\"],\n        \"worker-src\": [\"'self'\", \"blob:\"],\n        \"connect-src\": [\n            \"'self'\",\n            \" https://api.mapbox.com\" https://api.mapbox.com\" ;,\n            \" https://events.mapbox.com\" https://events.mapbox.com\" ;,\n        ],\n        \"object-src\": \"'none'\",\n        \"style-src\": [\n            \"'self'\",\n            \"'unsafe-inline'\",\n        ],\n        \"script-src\": [\"'self'\", \"'strict-dynamic'\"],\n    },\n    \"content_security_policy_nonce_in\": [\"script-src\"],\n    \"force_https\": False,\n    \"session_cookie_secure\": False,\n}","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49657","reference_id":"","reference_type":"","scores":[{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61081","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61187","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-49657"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/01/23/5","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2024/01/23/5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49657","reference_id":"CVE-2023-49657","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49657"},{"reference_url":"https://github.com/advisories/GHSA-rwhh-6x83-84v6","reference_id":"GHSA-rwhh-6x83-84v6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rwhh-6x83-84v6"},{"reference_url":"https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx","reference_id":"wjyvz8om9nwd396lh0bt156mtwjxpsvx","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T16:03:28Z/"}],"url":"https://lists.apache.org/thread/wjyvz8om9nwd396lh0bt156mtwjxpsvx"}],"fixed_packages":[],"aliases":["CVE-2023-49657","GHSA-rwhh-6x83-84v6"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q2f7-jq7w-vkc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/132563?format=json","vulnerability_id":"VCID-s7bz-64kr-9yfs","summary":"Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets.  \nThis vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46104","reference_id":"","reference_type":"","scores":[{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69813","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00592","scoring_system":"epss","scoring_elements":"0.69723","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46104"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/7c23cb0b3fd224c320b35f05e74b572033569154","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/7c23cb0b3fd224c320b35f05e74b572033569154"},{"reference_url":"https://github.com/apache/superset/commit/f473d13d0d89de5990209ff81b17dfe2cee884d3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/f473d13d0d89de5990209ff81b17dfe2cee884d3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46104","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46104"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/12/19/1","reference_id":"1","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/12/19/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/02/14/2","reference_id":"2","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/02/14/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/02/14/3","reference_id":"3","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/02/14/3"},{"reference_url":"https://github.com/advisories/GHSA-95mg-jgfx-54v9","reference_id":"GHSA-95mg-jgfx-54v9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95mg-jgfx-54v9"},{"reference_url":"https://lists.apache.org/thread/yxbxg4wryb7cb7wyybk11l5nqy0rsrvl","reference_id":"yxbxg4wryb7cb7wyybk11l5nqy0rsrvl","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-27T15:37:09Z/"}],"url":"https://lists.apache.org/thread/yxbxg4wryb7cb7wyybk11l5nqy0rsrvl"}],"fixed_packages":[],"aliases":["CVE-2023-46104","GHSA-95mg-jgfx-54v9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s7bz-64kr-9yfs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/139194?format=json","vulnerability_id":"VCID-tf8b-bq3r-2fhc","summary":"By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerability exists in Apache Superset versions up to and including 2.1.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39264","reference_id":"","reference_type":"","scores":[{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.34025","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0014","scoring_system":"epss","scoring_elements":"0.33849","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-39264"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39264","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39264"},{"reference_url":"https://github.com/advisories/GHSA-cpvx-2365-466c","reference_id":"GHSA-cpvx-2365-466c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpvx-2365-466c"},{"reference_url":"https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75","reference_id":"y65t1of7hb445n86o1vdzjct7rfwlx75","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T14:48:40Z/"}],"url":"https://lists.apache.org/thread/y65t1of7hb445n86o1vdzjct7rfwlx75"}],"fixed_packages":[],"aliases":["CVE-2023-39264","GHSA-cpvx-2365-466c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tf8b-bq3r-2fhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210656?format=json","vulnerability_id":"VCID-u7nc-sr84-1qgy","summary":"Apache Superset Stored XSS on Dashboard markdown","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27907","reference_id":"","reference_type":"","scores":[{"value":"0.02514","scoring_system":"epss","scoring_elements":"0.85719","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02514","scoring_system":"epss","scoring_elements":"0.8577","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-27907"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-127.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-127.yaml"},{"reference_url":"https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9bc5c1873bea67a@%3Cdev.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9bc5c1873bea67a@%3Cdev.superset.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9bc5c1873bea67a%40%3Cdev.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9bc5c1873bea67a%40%3Cdev.superset.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27907","reference_id":"CVE-2021-27907","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27907"},{"reference_url":"https://github.com/advisories/GHSA-w358-rj93-r5qv","reference_id":"GHSA-w358-rj93-r5qv","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w358-rj93-r5qv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1153257?format=json","purl":"pkg:pypi/superset@0.38.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@0.38.1"}],"aliases":["BIT-superset-2021-27907","CVE-2021-27907","GHSA-w358-rj93-r5qv","PYSEC-2021-127"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u7nc-sr84-1qgy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/163104?format=json","vulnerability_id":"VCID-uyy9-mrk5-fbhd","summary":"An authenticated attacker with update datasets permission could change a dataset link to an untrusted site, users could be redirected to this site when clicking on that specific dataset. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43721","reference_id":"","reference_type":"","scores":[{"value":"0.00651","scoring_system":"epss","scoring_elements":"0.71365","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00724","scoring_system":"epss","scoring_elements":"0.73092","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43721"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43721","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43721"},{"reference_url":"https://github.com/advisories/GHSA-fcg4-pm6h-9xx2","reference_id":"GHSA-fcg4-pm6h-9xx2","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fcg4-pm6h-9xx2"},{"reference_url":"https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg","reference_id":"s6sqt5jmcv6qxtvdot1t5tpt57v439kg","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T15:00:49Z/"}],"url":"https://lists.apache.org/thread/s6sqt5jmcv6qxtvdot1t5tpt57v439kg"}],"fixed_packages":[],"aliases":["CVE-2022-43721","GHSA-fcg4-pm6h-9xx2"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uyy9-mrk5-fbhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/150431?format=json","vulnerability_id":"VCID-vt3x-87z4-zqf4","summary":"Improper authorization check and possible privilege escalation on Apache Superset up to but excluding 2.1.2. Using the default examples database connection that allows access to both the examples schema and Apache Superset's metadata database, an attacker using a specially crafted CTE SQL statement could change data on the metadata database. This weakness could result on tampering with the authentication/authorization data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40610","reference_id":"","reference_type":"","scores":[{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.5454","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00308","scoring_system":"epss","scoring_elements":"0.54414","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40610"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40610","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40610"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/11/27/2","reference_id":"2","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-03T13:59:25Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/11/27/2"},{"reference_url":"https://github.com/advisories/GHSA-f678-j579-4xf5","reference_id":"GHSA-f678-j579-4xf5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f678-j579-4xf5"},{"reference_url":"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5","reference_id":"GHSA-f678-j579-4xf5","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-03T13:59:25Z/"}],"url":"https://github.com/orangecertcc/security-research/security/advisories/GHSA-f678-j579-4xf5"},{"reference_url":"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot","reference_id":"jvgxpk4dbxyqtsgtl4pdgbd520rc0rot","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-03T13:59:25Z/"}],"url":"https://lists.apache.org/thread/jvgxpk4dbxyqtsgtl4pdgbd520rc0rot"}],"fixed_packages":[],"aliases":["CVE-2023-40610","GHSA-f678-j579-4xf5","GMS-2023-5275"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vt3x-87z4-zqf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/162857?format=json","vulnerability_id":"VCID-w4pb-uqe1-27cv","summary":"Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43719","reference_id":"","reference_type":"","scores":[{"value":"0.00456","scoring_system":"epss","scoring_elements":"0.64305","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01528","scoring_system":"epss","scoring_elements":"0.81764","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-43719"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43719","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-43719"},{"reference_url":"https://github.com/advisories/GHSA-7222-r37x-8q3m","reference_id":"GHSA-7222-r37x-8q3m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7222-r37x-8q3m"},{"reference_url":"https://lists.apache.org/thread/xc309h2dphrkg33154djf3nqlh2xc1c0","reference_id":"xc309h2dphrkg33154djf3nqlh2xc1c0","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-07T15:03:55Z/"}],"url":"https://lists.apache.org/thread/xc309h2dphrkg33154djf3nqlh2xc1c0"}],"fixed_packages":[],"aliases":["CVE-2022-43719","GHSA-7222-r37x-8q3m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w4pb-uqe1-27cv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143173?format=json","vulnerability_id":"VCID-wgd2-ud3v-gkdw","summary":"An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32672","reference_id":"","reference_type":"","scores":[{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38662","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00173","scoring_system":"epss","scoring_elements":"0.38488","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32672"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32672","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32672"},{"reference_url":"https://github.com/advisories/GHSA-95ch-p3gw-23qg","reference_id":"GHSA-95ch-p3gw-23qg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95ch-p3gw-23qg"},{"reference_url":"https://lists.apache.org/thread/ococ6nlj80f0okkwfwpjczy3q84j3wkp","reference_id":"ococ6nlj80f0okkwfwpjczy3q84j3wkp","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T15:46:32Z/"}],"url":"https://lists.apache.org/thread/ococ6nlj80f0okkwfwpjczy3q84j3wkp"}],"fixed_packages":[],"aliases":["CVE-2023-32672","GHSA-95ch-p3gw-23qg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wgd2-ud3v-gkdw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210652?format=json","vulnerability_id":"VCID-xr3c-u3m4-tfeg","summary":"Apache Superset OS Command Injection","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13948","reference_id":"","reference_type":"","scores":[{"value":"0.00732","scoring_system":"epss","scoring_elements":"0.73251","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00732","scoring_system":"epss","scoring_elements":"0.73174","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-13948"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/pull/11617#issuecomment-726204489","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/pull/11617#issuecomment-726204489"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2020-222.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2020-222.yaml"},{"reference_url":"https://lists.apache.org/thread.html/r0e35c7c5672a6146b962840be5c1a7b7461c05a71cd7ecc62774d155@%3Cnotifications.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r0e35c7c5672a6146b962840be5c1a7b7461c05a71cd7ecc62774d155@%3Cnotifications.superset.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r4fc7115f6e63ac255c48fc68c0da592df55fe4be47cae6378d39ac22@%3Cnotifications.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r4fc7115f6e63ac255c48fc68c0da592df55fe4be47cae6378d39ac22@%3Cnotifications.superset.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13948","reference_id":"CVE-2020-13948","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13948"},{"reference_url":"https://github.com/advisories/GHSA-cj7g-h7rf-h8j9","reference_id":"GHSA-cj7g-h7rf-h8j9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cj7g-h7rf-h8j9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1153010?format=json","purl":"pkg:pypi/superset@0.37.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@0.37.1"}],"aliases":["BIT-superset-2020-13948","CVE-2020-13948","GHSA-cj7g-h7rf-h8j9","PYSEC-2020-222"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xr3c-u3m4-tfeg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/145658?format=json","vulnerability_id":"VCID-yyh5-z2zn-h7h7","summary":"Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.\n\nAll superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database.\nAdd a strong SECRET_KEY to your `superset_config.py` file like:\n\nSECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY>\n\nAlternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27524","reference_id":"","reference_type":"","scores":[{"value":"0.84026","scoring_system":"epss","scoring_elements":"0.99323","published_at":"2026-06-11T12:55:00Z"},{"value":"0.84026","scoring_system":"epss","scoring_elements":"0.99326","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27524"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset/commit/b180319bbf08e876ea84963220ebebbfd0699e03"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27524","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27524"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27524","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-27524"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/04/24/2","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2023/04/24/2"},{"reference_url":"https://www.openwall.com/lists/oss-security/2023/04/24/2","reference_id":"2","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-03T16:30:35Z/"}],"url":"https://www.openwall.com/lists/oss-security/2023/04/24/2"},{"reference_url":"https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html","reference_id":"Apache-Superset-2.0.0-Authentication-Bypass.html","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-03T16:30:35Z/"}],"url":"https://packetstormsecurity.com/files/172522/Apache-Superset-2.0.0-Authentication-Bypass.html"},{"reference_url":"https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html","reference_id":"Apache-Superset-2.0.0-Remote-Code-Execution.html","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-03T16:30:35Z/"}],"url":"https://packetstormsecurity.com/files/175094/Apache-Superset-2.0.0-Remote-Code-Execution.html"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/51447.py","reference_id":"CVE-2023-27524","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/51447.py"},{"reference_url":"https://github.com/advisories/GHSA-5cx2-vq3h-x52c","reference_id":"GHSA-5cx2-vq3h-x52c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5cx2-vq3h-x52c"},{"reference_url":"https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk","reference_id":"n0ftx60sllf527j7g11kmt24wvof8xyk","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L/E:H"},{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-03T16:30:35Z/"}],"url":"https://lists.apache.org/thread/n0ftx60sllf527j7g11kmt24wvof8xyk"}],"fixed_packages":[],"aliases":["CVE-2023-27524","GHSA-5cx2-vq3h-x52c"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyh5-z2zn-h7h7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/129436?format=json","vulnerability_id":"VCID-yyqg-c3nw-nkdn","summary":"A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery\nattacks and query internal resources on behalf of the server where Superset\nis deployed. This vulnerability exists in Apache Superset versions up to and including 2.0.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25504","reference_id":"","reference_type":"","scores":[{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36717","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36538","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-25504"},{"reference_url":"https://github.com/apache/superset","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/superset"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25504","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25504"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/04/18/8","reference_id":"8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T15:07:39Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/04/18/8"},{"reference_url":"https://github.com/advisories/GHSA-fxjg-28fm-pfxh","reference_id":"GHSA-fxjg-28fm-pfxh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxjg-28fm-pfxh"},{"reference_url":"https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx","reference_id":"tdnzkocfsqg2sbbornnp9g492fn4zhtx","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-21T15:07:39Z/"}],"url":"https://lists.apache.org/thread/tdnzkocfsqg2sbbornnp9g492fn4zhtx"}],"fixed_packages":[],"aliases":["CVE-2023-25504","GHSA-fxjg-28fm-pfxh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yyqg-c3nw-nkdn"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/superset@0.18.4"}