Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-superset@4.0.0rc2
Typepypi
Namespace
Nameapache-superset
Version4.0.0rc2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.0.0
Latest_non_vulnerable_version6.0.0
Affected_by_vulnerabilities
0
url VCID-1gqt-cpea-b7ht
vulnerability_id VCID-1gqt-cpea-b7ht
summary 
Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. 

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-55633
reference_id
reference_type
scores
0
value 0.01043
scoring_system epss
scoring_elements 0.77963
published_at 2026-06-13T12:55:00Z
1
value 0.01043
scoring_system epss
scoring_elements 0.77956
published_at 2026-06-14T12:55:00Z
2
value 0.01043
scoring_system epss
scoring_elements 0.77881
published_at 2026-06-11T12:55:00Z
3
value 0.01043
scoring_system epss
scoring_elements 0.7795
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-55633
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-55633
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-55633
3
reference_url http://www.openwall.com/lists/oss-security/2024/12/12/1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/12/12/1
4
reference_url https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb
reference_id bwmd17fcvljt9q4cgctp4v09zh3qs7fb
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-12T15:27:53Z/
url https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb
5
reference_url https://github.com/advisories/GHSA-787v-v9vq-4rgv
reference_id GHSA-787v-v9vq-4rgv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-787v-v9vq-4rgv
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-35bq-93h8-qufg
2
vulnerability VCID-8bqq-wrc2-b3de
3
vulnerability VCID-djyw-btmk-tyc1
4
vulnerability VCID-mjty-hv8c-mbck
5
vulnerability VCID-pvr6-v3ds-sqcr
6
vulnerability VCID-tvfr-mp56-b7f4
7
vulnerability VCID-ubwg-81j2-8yhd
8
vulnerability VCID-us7y-vvzr-2fea
9
vulnerability VCID-v735-muyq-h7hr
10
vulnerability VCID-zvzt-19xv-6ubd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-55633, GHSA-787v-v9vq-4rgv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1gqt-cpea-b7ht
1
url VCID-2bqf-unav-tbfs
vulnerability_id VCID-2bqf-unav-tbfs
summary 
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55675
reference_id
reference_type
scores
0
value 0.00253
scoring_system epss
scoring_elements 0.49046
published_at 2026-06-13T12:55:00Z
1
value 0.00253
scoring_system epss
scoring_elements 0.49033
published_at 2026-06-14T12:55:00Z
2
value 0.00253
scoring_system epss
scoring_elements 0.48892
published_at 2026-06-11T12:55:00Z
3
value 0.00253
scoring_system epss
scoring_elements 0.49028
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55675
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55675
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55675
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/6
4
reference_url https://github.com/advisories/GHSA-mhpq-m962-mg92
reference_id GHSA-mhpq-m962-mg92
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mhpq-m962-mg92
5
reference_url https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
reference_id op681b4kbd7g84tfjf9omz0sxggbcv33
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:47:53Z/
url https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
fixed_packages
0
url pkg:pypi/apache-superset@5.0.0
purl pkg:pypi/apache-superset@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8bqq-wrc2-b3de
1
vulnerability VCID-tvfr-mp56-b7f4
2
vulnerability VCID-ubwg-81j2-8yhd
3
vulnerability VCID-us7y-vvzr-2fea
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0
aliases CVE-2025-55675, GHSA-mhpq-m962-mg92
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2bqf-unav-tbfs
2
url VCID-35bq-93h8-qufg
vulnerability_id VCID-35bq-93h8-qufg
summary 
Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23969
reference_id
reference_type
scores
0
value 0.00069
scoring_system epss
scoring_elements 0.21453
published_at 2026-06-11T12:55:00Z
1
value 0.00069
scoring_system epss
scoring_elements 0.21624
published_at 2026-06-14T12:55:00Z
2
value 0.00069
scoring_system epss
scoring_elements 0.21637
published_at 2026-06-12T12:55:00Z
3
value 0.00069
scoring_system epss
scoring_elements 0.2165
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23969
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/4
3
reference_url https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd
reference_id 2q22sp4oj3krcgdkxchhtht0vgwp2wnd
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:03:24Z/
url https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23969
reference_id CVE-2026-23969
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23969
5
reference_url https://github.com/advisories/GHSA-48m2-v2r8-h23m
reference_id GHSA-48m2-v2r8-h23m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-48m2-v2r8-h23m
fixed_packages
0
url pkg:pypi/apache-superset@4.1.2
purl pkg:pypi/apache-superset@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-8bqq-wrc2-b3de
2
vulnerability VCID-djyw-btmk-tyc1
3
vulnerability VCID-mjty-hv8c-mbck
4
vulnerability VCID-tvfr-mp56-b7f4
5
vulnerability VCID-ubwg-81j2-8yhd
6
vulnerability VCID-us7y-vvzr-2fea
7
vulnerability VCID-v735-muyq-h7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2
aliases CVE-2026-23969, GHSA-48m2-v2r8-h23m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-35bq-93h8-qufg
3
url VCID-8bqq-wrc2-b3de
vulnerability_id VCID-8bqq-wrc2-b3de
summary 
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23982
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13535
published_at 2026-06-12T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13512
published_at 2026-06-14T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13418
published_at 2026-06-11T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13539
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23982
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/6
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/6
3
reference_url https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp
reference_id 9lvbzwkw4rxgdvbpfvnnnfcll92v75fp
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:44:20Z/
url https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23982
reference_id CVE-2026-23982
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23982
5
reference_url https://github.com/advisories/GHSA-3m2g-v7jf-7fxc
reference_id GHSA-3m2g-v7jf-7fxc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3m2g-v7jf-7fxc
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23982, GHSA-3m2g-v7jf-7fxc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8bqq-wrc2-b3de
4
url VCID-8s2r-g7nq-9qcm
vulnerability_id VCID-8s2r-g7nq-9qcm
summary 
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request.This issue affects Apache Superset: before 3.1.2.

Users are recommended to upgrade to version 3.1.2 or above, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28148
reference_id
reference_type
scores
0
value 0.0008
scoring_system epss
scoring_elements 0.23713
published_at 2026-06-11T12:55:00Z
1
value 0.0008
scoring_system epss
scoring_elements 0.23895
published_at 2026-06-14T12:55:00Z
2
value 0.0008
scoring_system epss
scoring_elements 0.23909
published_at 2026-06-12T12:55:00Z
3
value 0.0008
scoring_system epss
scoring_elements 0.23918
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28148
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28148
reference_id CVE-2024-28148
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28148
3
reference_url https://github.com/advisories/GHSA-299q-3p96-5898
reference_id GHSA-299q-3p96-5898
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-299q-3p96-5898
4
reference_url https://lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgo
reference_id n27wlbd05oc6bgjh28d5pxzsrrph8dgo
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T18:25:54Z/
url https://lists.apache.org/thread/n27wlbd05oc6bgjh28d5pxzsrrph8dgo
fixed_packages
0
url pkg:pypi/apache-superset@4.0.0
purl pkg:pypi/apache-superset@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1gqt-cpea-b7ht
1
vulnerability VCID-2bqf-unav-tbfs
2
vulnerability VCID-35bq-93h8-qufg
3
vulnerability VCID-8bqq-wrc2-b3de
4
vulnerability VCID-czv8-b1v4-s3gv
5
vulnerability VCID-djyw-btmk-tyc1
6
vulnerability VCID-f3cr-98hh-qygb
7
vulnerability VCID-mjty-hv8c-mbck
8
vulnerability VCID-mwbp-vuvw-mua1
9
vulnerability VCID-pvr6-v3ds-sqcr
10
vulnerability VCID-tvfr-mp56-b7f4
11
vulnerability VCID-ubwg-81j2-8yhd
12
vulnerability VCID-us7y-vvzr-2fea
13
vulnerability VCID-v735-muyq-h7hr
14
vulnerability VCID-vafu-fk53-6yd4
15
vulnerability VCID-xsmf-gtwu-1kae
16
vulnerability VCID-zvzt-19xv-6ubd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.0
aliases CVE-2024-28148, GHSA-299q-3p96-5898
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8s2r-g7nq-9qcm
5
url VCID-czv8-b1v4-s3gv
vulnerability_id VCID-czv8-b1v4-s3gv
summary 
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.

 issue affects Apache Superset: from 2.0.0 before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53949
reference_id
reference_type
scores
0
value 0.00335
scoring_system epss
scoring_elements 0.56828
published_at 2026-06-14T12:55:00Z
1
value 0.00335
scoring_system epss
scoring_elements 0.56703
published_at 2026-06-11T12:55:00Z
2
value 0.00335
scoring_system epss
scoring_elements 0.56838
published_at 2026-06-13T12:55:00Z
3
value 0.00335
scoring_system epss
scoring_elements 0.56824
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53949
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53949
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53949
4
reference_url http://www.openwall.com/lists/oss-security/2024/12/09/4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/12/09/4
5
reference_url https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d
reference_id d3scbwmfpzbpm6npnzdw5y4owtqqyq8d
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-09T15:01:51Z/
url https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d
6
reference_url https://github.com/advisories/GHSA-35fc-9hrj-3585
reference_id GHSA-35fc-9hrj-3585
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-35fc-9hrj-3585
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-35bq-93h8-qufg
2
vulnerability VCID-8bqq-wrc2-b3de
3
vulnerability VCID-djyw-btmk-tyc1
4
vulnerability VCID-mjty-hv8c-mbck
5
vulnerability VCID-pvr6-v3ds-sqcr
6
vulnerability VCID-tvfr-mp56-b7f4
7
vulnerability VCID-ubwg-81j2-8yhd
8
vulnerability VCID-us7y-vvzr-2fea
9
vulnerability VCID-v735-muyq-h7hr
10
vulnerability VCID-zvzt-19xv-6ubd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-53949, GHSA-35fc-9hrj-3585
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-czv8-b1v4-s3gv
6
url VCID-djyw-btmk-tyc1
vulnerability_id VCID-djyw-btmk-tyc1
summary 
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.

This issue affects Apache Superset: before 4.1.3.

Users are recommended to upgrade to version 4.1.3, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55673
reference_id
reference_type
scores
0
value 0.00881
scoring_system epss
scoring_elements 0.75893
published_at 2026-06-13T12:55:00Z
1
value 0.00881
scoring_system epss
scoring_elements 0.75887
published_at 2026-06-14T12:55:00Z
2
value 0.00881
scoring_system epss
scoring_elements 0.75808
published_at 2026-06-11T12:55:00Z
3
value 0.00881
scoring_system epss
scoring_elements 0.75879
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55673
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55673
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55673
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/3
4
reference_url https://github.com/advisories/GHSA-9g5x-mm39-wg9r
reference_id GHSA-9g5x-mm39-wg9r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9g5x-mm39-wg9r
5
reference_url https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8
reference_id h2hw756wk4sj4z49blvzkr5fntl9hlf8
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T14:02:38Z/
url https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8
fixed_packages
0
url pkg:pypi/apache-superset@4.1.3.post1
purl pkg:pypi/apache-superset@4.1.3.post1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-8bqq-wrc2-b3de
2
vulnerability VCID-mjty-hv8c-mbck
3
vulnerability VCID-tvfr-mp56-b7f4
4
vulnerability VCID-ubwg-81j2-8yhd
5
vulnerability VCID-us7y-vvzr-2fea
6
vulnerability VCID-v735-muyq-h7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.3.post1
aliases CVE-2025-55673, GHSA-9g5x-mm39-wg9r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-djyw-btmk-tyc1
7
url VCID-f3cr-98hh-qygb
vulnerability_id VCID-f3cr-98hh-qygb
summary 
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.

This issue affects Apache Superset: before 4.0.2.

Users are recommended to upgrade to version 4.0.2, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-39887
reference_id
reference_type
scores
0
value 0.61396
scoring_system epss
scoring_elements 0.98352
published_at 2026-06-11T12:55:00Z
1
value 0.61396
scoring_system epss
scoring_elements 0.98359
published_at 2026-06-13T12:55:00Z
2
value 0.61396
scoring_system epss
scoring_elements 0.98358
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-39887
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506
3
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/5
reference_id 5
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/
url http://www.openwall.com/lists/oss-security/2024/07/16/5
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39887
reference_id CVE-2024-39887
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39887
5
reference_url https://github.com/advisories/GHSA-2q6j-vpvr-6pvj
reference_id GHSA-2q6j-vpvr-6pvj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2q6j-vpvr-6pvj
6
reference_url https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz
reference_id j55vm41jg3l0x6w49zrmvbf3k0ts5fqz
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/
url https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz
fixed_packages
0
url pkg:pypi/apache-superset@4.0.2
purl pkg:pypi/apache-superset@4.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1gqt-cpea-b7ht
1
vulnerability VCID-2bqf-unav-tbfs
2
vulnerability VCID-35bq-93h8-qufg
3
vulnerability VCID-8bqq-wrc2-b3de
4
vulnerability VCID-czv8-b1v4-s3gv
5
vulnerability VCID-djyw-btmk-tyc1
6
vulnerability VCID-mjty-hv8c-mbck
7
vulnerability VCID-mwbp-vuvw-mua1
8
vulnerability VCID-pvr6-v3ds-sqcr
9
vulnerability VCID-tvfr-mp56-b7f4
10
vulnerability VCID-ubwg-81j2-8yhd
11
vulnerability VCID-us7y-vvzr-2fea
12
vulnerability VCID-v735-muyq-h7hr
13
vulnerability VCID-xsmf-gtwu-1kae
14
vulnerability VCID-zvzt-19xv-6ubd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2
aliases CVE-2024-39887, GHSA-2q6j-vpvr-6pvj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f3cr-98hh-qygb
8
url VCID-mjty-hv8c-mbck
vulnerability_id VCID-mjty-hv8c-mbck
summary 
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55674
reference_id
reference_type
scores
0
value 0.00376
scoring_system epss
scoring_elements 0.5972
published_at 2026-06-13T12:55:00Z
1
value 0.00376
scoring_system epss
scoring_elements 0.5971
published_at 2026-06-14T12:55:00Z
2
value 0.00376
scoring_system epss
scoring_elements 0.59599
published_at 2026-06-11T12:55:00Z
3
value 0.00376
scoring_system epss
scoring_elements 0.59708
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55674
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55674
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55674
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/5
4
reference_url https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
reference_id cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:49:40Z/
url https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
5
reference_url https://github.com/advisories/GHSA-fxgf-3xh6-m2pp
reference_id GHSA-fxgf-3xh6-m2pp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fxgf-3xh6-m2pp
fixed_packages
0
url pkg:pypi/apache-superset@5.0.0
purl pkg:pypi/apache-superset@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8bqq-wrc2-b3de
1
vulnerability VCID-tvfr-mp56-b7f4
2
vulnerability VCID-ubwg-81j2-8yhd
3
vulnerability VCID-us7y-vvzr-2fea
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0
aliases CVE-2025-55674, GHSA-fxgf-3xh6-m2pp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mjty-hv8c-mbck
9
url VCID-mwbp-vuvw-mua1
vulnerability_id VCID-mwbp-vuvw-mua1
summary 
Generation of Error Message Containing analytics metadata Information in Apache Superset.

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53948
reference_id
reference_type
scores
0
value 0.00172
scoring_system epss
scoring_elements 0.3865
published_at 2026-06-14T12:55:00Z
1
value 0.00172
scoring_system epss
scoring_elements 0.38466
published_at 2026-06-11T12:55:00Z
2
value 0.00172
scoring_system epss
scoring_elements 0.38661
published_at 2026-06-13T12:55:00Z
3
value 0.00172
scoring_system epss
scoring_elements 0.38639
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53948
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53948
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53948
4
reference_url http://www.openwall.com/lists/oss-security/2024/12/09/3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/12/09/3
5
reference_url https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf
reference_id 8howpf3png0wrgpls46ggk441oczlfvf
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:04:23Z/
url https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf
6
reference_url https://github.com/advisories/GHSA-2cx9-54hp-r698
reference_id GHSA-2cx9-54hp-r698
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2cx9-54hp-r698
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-35bq-93h8-qufg
2
vulnerability VCID-8bqq-wrc2-b3de
3
vulnerability VCID-djyw-btmk-tyc1
4
vulnerability VCID-mjty-hv8c-mbck
5
vulnerability VCID-pvr6-v3ds-sqcr
6
vulnerability VCID-tvfr-mp56-b7f4
7
vulnerability VCID-ubwg-81j2-8yhd
8
vulnerability VCID-us7y-vvzr-2fea
9
vulnerability VCID-v735-muyq-h7hr
10
vulnerability VCID-zvzt-19xv-6ubd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-53948, GHSA-2cx9-54hp-r698
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mwbp-vuvw-mua1
10
url VCID-pvr6-v3ds-sqcr
vulnerability_id VCID-pvr6-v3ds-sqcr
summary 
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-48912
reference_id
reference_type
scores
0
value 0.00335
scoring_system epss
scoring_elements 0.56887
published_at 2026-06-13T12:55:00Z
1
value 0.00335
scoring_system epss
scoring_elements 0.56876
published_at 2026-06-14T12:55:00Z
2
value 0.00335
scoring_system epss
scoring_elements 0.56751
published_at 2026-06-11T12:55:00Z
3
value 0.00335
scoring_system epss
scoring_elements 0.56872
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-48912
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-48912
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-48912
3
reference_url http://www.openwall.com/lists/oss-security/2025/05/30/3
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/05/30/3
4
reference_url https://github.com/advisories/GHSA-8w7f-8pr9-xgwj
reference_id GHSA-8w7f-8pr9-xgwj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8w7f-8pr9-xgwj
5
reference_url https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135
reference_id ms2t2oq218hb7l628trsogo4fj7h1135
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:55:47Z/
url https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135
fixed_packages
0
url pkg:pypi/apache-superset@4.1.2
purl pkg:pypi/apache-superset@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-8bqq-wrc2-b3de
2
vulnerability VCID-djyw-btmk-tyc1
3
vulnerability VCID-mjty-hv8c-mbck
4
vulnerability VCID-tvfr-mp56-b7f4
5
vulnerability VCID-ubwg-81j2-8yhd
6
vulnerability VCID-us7y-vvzr-2fea
7
vulnerability VCID-v735-muyq-h7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2
aliases CVE-2025-48912, GHSA-8w7f-8pr9-xgwj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pvr6-v3ds-sqcr
11
url VCID-tvfr-mp56-b7f4
vulnerability_id VCID-tvfr-mp56-b7f4
summary 
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23980
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12784
published_at 2026-06-11T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.1287
published_at 2026-06-14T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12879
published_at 2026-06-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12889
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23980
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23980
reference_id CVE-2026-23980
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23980
4
reference_url https://github.com/advisories/GHSA-gvxg-9hqx-f4rg
reference_id GHSA-gvxg-9hqx-f4rg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gvxg-9hqx-f4rg
5
reference_url https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4
reference_id h4l02zw1pr2vywv0dc5zjn3grdcdhwf4
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:05:27Z/
url https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23980, GHSA-gvxg-9hqx-f4rg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tvfr-mp56-b7f4
12
url VCID-ubwg-81j2-8yhd
vulnerability_id VCID-ubwg-81j2-8yhd
summary 
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.
While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23984
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12856
published_at 2026-06-11T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12943
published_at 2026-06-14T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12952
published_at 2026-06-12T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12963
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23984
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/8
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/8
3
reference_url https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26
reference_id 72cmgxtvp9pclto4ln1chbs1227nwd26
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:51:19Z/
url https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23984
reference_id CVE-2026-23984
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23984
5
reference_url https://github.com/advisories/GHSA-mwf2-qr4v-94h2
reference_id GHSA-mwf2-qr4v-94h2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mwf2-qr4v-94h2
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23984, GHSA-mwf2-qr4v-94h2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ubwg-81j2-8yhd
13
url VCID-us7y-vvzr-2fea
vulnerability_id VCID-us7y-vvzr-2fea
summary 
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.
When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data 

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23983
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17696
published_at 2026-06-12T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17688
published_at 2026-06-14T12:55:00Z
2
value 0.00055
scoring_system epss
scoring_elements 0.17536
published_at 2026-06-11T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17713
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23983
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/7
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/7
3
reference_url https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww
reference_id 62mgbc5hc8026skp69kb6vqozj3pr5ww
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:46:54Z/
url https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23983
reference_id CVE-2026-23983
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23983
5
reference_url https://github.com/advisories/GHSA-h294-8fxm-m2pj
reference_id GHSA-h294-8fxm-m2pj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h294-8fxm-m2pj
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23983, GHSA-h294-8fxm-m2pj
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-us7y-vvzr-2fea
14
url VCID-v735-muyq-h7hr
vulnerability_id VCID-v735-muyq-h7hr
summary 
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55672
reference_id
reference_type
scores
0
value 0.00217
scoring_system epss
scoring_elements 0.44475
published_at 2026-06-14T12:55:00Z
1
value 0.00217
scoring_system epss
scoring_elements 0.44316
published_at 2026-06-11T12:55:00Z
2
value 0.00217
scoring_system epss
scoring_elements 0.44469
published_at 2026-06-12T12:55:00Z
3
value 0.00217
scoring_system epss
scoring_elements 0.44488
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55672
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55672
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55672
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/4
4
reference_url https://github.com/advisories/GHSA-fj97-2v9x-w5m4
reference_id GHSA-fj97-2v9x-w5m4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fj97-2v9x-w5m4
5
reference_url https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
reference_id rvh7fdjfzxzjhcfwoz7twc2brhvochdj
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:52:16Z/
url https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
fixed_packages
0
url pkg:pypi/apache-superset@5.0.0
purl pkg:pypi/apache-superset@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8bqq-wrc2-b3de
1
vulnerability VCID-tvfr-mp56-b7f4
2
vulnerability VCID-ubwg-81j2-8yhd
3
vulnerability VCID-us7y-vvzr-2fea
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0
aliases CVE-2025-55672, GHSA-fj97-2v9x-w5m4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v735-muyq-h7hr
15
url VCID-xsmf-gtwu-1kae
vulnerability_id VCID-xsmf-gtwu-1kae
summary 
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.

This issue affects Apache Superset: <4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53947
reference_id
reference_type
scores
0
value 0.00399
scoring_system epss
scoring_elements 0.61214
published_at 2026-06-12T12:55:00Z
1
value 0.00399
scoring_system epss
scoring_elements 0.61219
published_at 2026-06-14T12:55:00Z
2
value 0.00399
scoring_system epss
scoring_elements 0.61108
published_at 2026-06-11T12:55:00Z
3
value 0.00399
scoring_system epss
scoring_elements 0.61223
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53947
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53947
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53947
4
reference_url https://github.com/advisories/GHSA-92qf-8gh3-gwcm
reference_id GHSA-92qf-8gh3-gwcm
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-92qf-8gh3-gwcm
5
reference_url https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn
reference_id hj3gfsjh67vqw12nlrshlsym4bkopjmn
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:05:04Z/
url https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-35bq-93h8-qufg
2
vulnerability VCID-8bqq-wrc2-b3de
3
vulnerability VCID-djyw-btmk-tyc1
4
vulnerability VCID-mjty-hv8c-mbck
5
vulnerability VCID-pvr6-v3ds-sqcr
6
vulnerability VCID-tvfr-mp56-b7f4
7
vulnerability VCID-ubwg-81j2-8yhd
8
vulnerability VCID-us7y-vvzr-2fea
9
vulnerability VCID-v735-muyq-h7hr
10
vulnerability VCID-zvzt-19xv-6ubd
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-53947, GHSA-92qf-8gh3-gwcm
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xsmf-gtwu-1kae
16
url VCID-zvzt-19xv-6ubd
vulnerability_id VCID-zvzt-19xv-6ubd
summary 
Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.

This issue affects Apache Superset: through 4.1.1.

Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27696
reference_id
reference_type
scores
0
value 0.00079
scoring_system epss
scoring_elements 0.23681
published_at 2026-06-12T12:55:00Z
1
value 0.00079
scoring_system epss
scoring_elements 0.23671
published_at 2026-06-14T12:55:00Z
2
value 0.00079
scoring_system epss
scoring_elements 0.23484
published_at 2026-06-11T12:55:00Z
3
value 0.00079
scoring_system epss
scoring_elements 0.2369
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27696
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27696
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27696
4
reference_url http://www.openwall.com/lists/oss-security/2025/05/12/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/05/12/3
5
reference_url https://github.com/advisories/GHSA-w6c7-j32f-rq8j
reference_id GHSA-w6c7-j32f-rq8j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w6c7-j32f-rq8j
6
reference_url https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413
reference_id k2od03bxnxs6vcp80sr03ywcxl194413
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T13:15:33Z/
url https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413
fixed_packages
0
url pkg:pypi/apache-superset@4.1.2
purl pkg:pypi/apache-superset@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2bqf-unav-tbfs
1
vulnerability VCID-8bqq-wrc2-b3de
2
vulnerability VCID-djyw-btmk-tyc1
3
vulnerability VCID-mjty-hv8c-mbck
4
vulnerability VCID-tvfr-mp56-b7f4
5
vulnerability VCID-ubwg-81j2-8yhd
6
vulnerability VCID-us7y-vvzr-2fea
7
vulnerability VCID-v735-muyq-h7hr
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2
aliases CVE-2025-27696, GHSA-w6c7-j32f-rq8j
risk_score 4.0
exploitability 0.5
weighted_severity 7.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zvzt-19xv-6ubd
Fixing_vulnerabilities
Risk_score4.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.0rc2