Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-superset@4.0.2
Typepypi
Namespace
Nameapache-superset
Version4.0.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.0.0
Latest_non_vulnerable_version6.0.0
Affected_by_vulnerabilities
0
url VCID-2gr1-bbms-4qcv
vulnerability_id VCID-2gr1-bbms-4qcv
summary 
Apache Superset: Error verbosity exposes metadata in analytics databases
Generation of Error Message Containing analytics metadata Information in Apache Superset.

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53948
reference_id
reference_type
scores
0
value 0.00172
scoring_system epss
scoring_elements 0.38459
published_at 2026-06-05T12:55:00Z
1
value 0.00172
scoring_system epss
scoring_elements 0.38416
published_at 2026-06-09T12:55:00Z
2
value 0.00172
scoring_system epss
scoring_elements 0.38405
published_at 2026-06-08T12:55:00Z
3
value 0.00172
scoring_system epss
scoring_elements 0.38434
published_at 2026-06-07T12:55:00Z
4
value 0.00172
scoring_system epss
scoring_elements 0.38462
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53948
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c
3
reference_url https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:04:23Z/
url https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf
4
reference_url http://www.openwall.com/lists/oss-security/2024/12/09/3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/12/09/3
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53948
reference_id CVE-2024-53948
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53948
6
reference_url https://github.com/advisories/GHSA-2cx9-54hp-r698
reference_id GHSA-2cx9-54hp-r698
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2cx9-54hp-r698
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-35st-tkb8-hkfu
1
vulnerability VCID-8mj1-r3na-zbdx
2
vulnerability VCID-bzqd-gxbh-4kh5
3
vulnerability VCID-cm8z-243v-63h6
4
vulnerability VCID-ftpt-n6j5-8uf2
5
vulnerability VCID-fy2u-7r3d-rbbf
6
vulnerability VCID-hpgv-z5gk-tkhs
7
vulnerability VCID-t415-wgxb-5kbt
8
vulnerability VCID-tn5d-naa3-uuba
9
vulnerability VCID-v1xw-5b4s-cqhx
10
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-53948, GHSA-2cx9-54hp-r698
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2gr1-bbms-4qcv
1
url VCID-35st-tkb8-hkfu
vulnerability_id VCID-35st-tkb8-hkfu
summary 
Apache Superset: Improper authorization bypass on row level security via SQL Injection
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-48912
reference_id
reference_type
scores
0
value 0.00335
scoring_system epss
scoring_elements 0.56677
published_at 2026-06-07T12:55:00Z
1
value 0.00335
scoring_system epss
scoring_elements 0.56688
published_at 2026-06-06T12:55:00Z
2
value 0.00335
scoring_system epss
scoring_elements 0.5668
published_at 2026-06-09T12:55:00Z
3
value 0.00335
scoring_system epss
scoring_elements 0.56682
published_at 2026-06-05T12:55:00Z
4
value 0.00335
scoring_system epss
scoring_elements 0.56662
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-48912
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:55:47Z/
url https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135
3
reference_url http://www.openwall.com/lists/oss-security/2025/05/30/3
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/05/30/3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-48912
reference_id CVE-2025-48912
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-48912
5
reference_url https://github.com/advisories/GHSA-8w7f-8pr9-xgwj
reference_id GHSA-8w7f-8pr9-xgwj
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8w7f-8pr9-xgwj
fixed_packages
0
url pkg:pypi/apache-superset@4.1.2
purl pkg:pypi/apache-superset@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8mj1-r3na-zbdx
1
vulnerability VCID-ftpt-n6j5-8uf2
2
vulnerability VCID-fy2u-7r3d-rbbf
3
vulnerability VCID-hpgv-z5gk-tkhs
4
vulnerability VCID-t415-wgxb-5kbt
5
vulnerability VCID-tn5d-naa3-uuba
6
vulnerability VCID-v1xw-5b4s-cqhx
7
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2
aliases CVE-2025-48912, GHSA-8w7f-8pr9-xgwj
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-35st-tkb8-hkfu
2
url VCID-8mj1-r3na-zbdx
vulnerability_id VCID-8mj1-r3na-zbdx
summary 
Apache Superset data query improperly discloses database schema information to low-privileged guest user
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.

This issue affects Apache Superset: before 4.1.3.

Users are recommended to upgrade to version 4.1.3, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55673
reference_id
reference_type
scores
0
value 0.00329
scoring_system epss
scoring_elements 0.56137
published_at 2026-06-07T12:55:00Z
1
value 0.00329
scoring_system epss
scoring_elements 0.56149
published_at 2026-06-06T12:55:00Z
2
value 0.00329
scoring_system epss
scoring_elements 0.5614
published_at 2026-06-09T12:55:00Z
3
value 0.00329
scoring_system epss
scoring_elements 0.56143
published_at 2026-06-05T12:55:00Z
4
value 0.00329
scoring_system epss
scoring_elements 0.5612
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55673
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T14:02:38Z/
url https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/3
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55673
reference_id CVE-2025-55673
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55673
5
reference_url https://github.com/advisories/GHSA-9g5x-mm39-wg9r
reference_id GHSA-9g5x-mm39-wg9r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9g5x-mm39-wg9r
fixed_packages
0
url pkg:pypi/apache-superset@4.1.3.post1
purl pkg:pypi/apache-superset@4.1.3.post1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ftpt-n6j5-8uf2
1
vulnerability VCID-fy2u-7r3d-rbbf
2
vulnerability VCID-hpgv-z5gk-tkhs
3
vulnerability VCID-t415-wgxb-5kbt
4
vulnerability VCID-tn5d-naa3-uuba
5
vulnerability VCID-v1xw-5b4s-cqhx
6
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.3.post1
aliases CVE-2025-55673, GHSA-9g5x-mm39-wg9r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8mj1-r3na-zbdx
3
url VCID-bzqd-gxbh-4kh5
vulnerability_id VCID-bzqd-gxbh-4kh5
summary 
Apache Superset Allows Ownership Takeover
Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.

This issue affects Apache Superset: through 4.1.1.

Users are recommended to upgrade to version 4.1.2 or above, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27696
reference_id
reference_type
scores
0
value 0.00079
scoring_system epss
scoring_elements 0.23557
published_at 2026-06-05T12:55:00Z
1
value 0.00079
scoring_system epss
scoring_elements 0.23445
published_at 2026-06-09T12:55:00Z
2
value 0.00079
scoring_system epss
scoring_elements 0.2344
published_at 2026-06-08T12:55:00Z
3
value 0.00079
scoring_system epss
scoring_elements 0.23495
published_at 2026-06-07T12:55:00Z
4
value 0.00079
scoring_system epss
scoring_elements 0.23541
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27696
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425
3
reference_url https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T13:15:33Z/
url https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413
4
reference_url http://www.openwall.com/lists/oss-security/2025/05/12/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/05/12/3
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27696
reference_id CVE-2025-27696
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27696
6
reference_url https://github.com/advisories/GHSA-w6c7-j32f-rq8j
reference_id GHSA-w6c7-j32f-rq8j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w6c7-j32f-rq8j
fixed_packages
0
url pkg:pypi/apache-superset@4.1.2
purl pkg:pypi/apache-superset@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8mj1-r3na-zbdx
1
vulnerability VCID-ftpt-n6j5-8uf2
2
vulnerability VCID-fy2u-7r3d-rbbf
3
vulnerability VCID-hpgv-z5gk-tkhs
4
vulnerability VCID-t415-wgxb-5kbt
5
vulnerability VCID-tn5d-naa3-uuba
6
vulnerability VCID-v1xw-5b4s-cqhx
7
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2
aliases CVE-2025-27696, GHSA-w6c7-j32f-rq8j
risk_score 4.0
exploitability 0.5
weighted_severity 7.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bzqd-gxbh-4kh5
4
url VCID-cm8z-243v-63h6
vulnerability_id VCID-cm8z-243v-63h6
summary 
Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine
Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.

This issue affects Apache Superset: before 4.1.2.

Users are recommended to upgrade to version 4.1.2, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23969
reference_id
reference_type
scores
0
value 0.00069
scoring_system epss
scoring_elements 0.21402
published_at 2026-06-08T12:55:00Z
1
value 0.00069
scoring_system epss
scoring_elements 0.21509
published_at 2026-06-06T12:55:00Z
2
value 0.00069
scoring_system epss
scoring_elements 0.21522
published_at 2026-06-05T12:55:00Z
3
value 0.00069
scoring_system epss
scoring_elements 0.21412
published_at 2026-06-09T12:55:00Z
4
value 0.00069
scoring_system epss
scoring_elements 0.21461
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23969
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:03:24Z/
url https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd
3
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/4
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23969
reference_id CVE-2026-23969
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23969
5
reference_url https://github.com/advisories/GHSA-48m2-v2r8-h23m
reference_id GHSA-48m2-v2r8-h23m
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-48m2-v2r8-h23m
fixed_packages
0
url pkg:pypi/apache-superset@4.1.2
purl pkg:pypi/apache-superset@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8mj1-r3na-zbdx
1
vulnerability VCID-ftpt-n6j5-8uf2
2
vulnerability VCID-fy2u-7r3d-rbbf
3
vulnerability VCID-hpgv-z5gk-tkhs
4
vulnerability VCID-t415-wgxb-5kbt
5
vulnerability VCID-tn5d-naa3-uuba
6
vulnerability VCID-v1xw-5b4s-cqhx
7
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2
aliases CVE-2026-23969, GHSA-48m2-v2r8-h23m
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cm8z-243v-63h6
5
url VCID-fnqj-j4xk-xbdv
vulnerability_id VCID-fnqj-j4xk-xbdv
summary 
Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.

issue affects Apache Superset: from 2.0.0 before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53949
reference_id
reference_type
scores
0
value 0.00335
scoring_system epss
scoring_elements 0.56634
published_at 2026-06-05T12:55:00Z
1
value 0.00335
scoring_system epss
scoring_elements 0.56632
published_at 2026-06-09T12:55:00Z
2
value 0.00335
scoring_system epss
scoring_elements 0.56614
published_at 2026-06-08T12:55:00Z
3
value 0.00335
scoring_system epss
scoring_elements 0.56628
published_at 2026-06-07T12:55:00Z
4
value 0.00335
scoring_system epss
scoring_elements 0.5664
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53949
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7
3
reference_url https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-09T15:01:51Z/
url https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d
4
reference_url http://www.openwall.com/lists/oss-security/2024/12/09/4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/12/09/4
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53949
reference_id CVE-2024-53949
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53949
6
reference_url https://github.com/advisories/GHSA-35fc-9hrj-3585
reference_id GHSA-35fc-9hrj-3585
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-35fc-9hrj-3585
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-35st-tkb8-hkfu
1
vulnerability VCID-8mj1-r3na-zbdx
2
vulnerability VCID-bzqd-gxbh-4kh5
3
vulnerability VCID-cm8z-243v-63h6
4
vulnerability VCID-ftpt-n6j5-8uf2
5
vulnerability VCID-fy2u-7r3d-rbbf
6
vulnerability VCID-hpgv-z5gk-tkhs
7
vulnerability VCID-t415-wgxb-5kbt
8
vulnerability VCID-tn5d-naa3-uuba
9
vulnerability VCID-v1xw-5b4s-cqhx
10
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-53949, GHSA-35fc-9hrj-3585
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fnqj-j4xk-xbdv
6
url VCID-ftpt-n6j5-8uf2
vulnerability_id VCID-ftpt-n6j5-8uf2
summary 
Apache Superset Improper Authorization allows low-privileged users to bypass access controls
An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23982
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.1342
published_at 2026-06-05T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13337
published_at 2026-06-09T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13305
published_at 2026-06-08T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13385
published_at 2026-06-07T12:55:00Z
4
value 0.00043
scoring_system epss
scoring_elements 0.13426
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23982
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:44:20Z/
url https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp
3
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/6
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23982
reference_id CVE-2026-23982
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23982
5
reference_url https://github.com/advisories/GHSA-3m2g-v7jf-7fxc
reference_id GHSA-3m2g-v7jf-7fxc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3m2g-v7jf-7fxc
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23982, GHSA-3m2g-v7jf-7fxc
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ftpt-n6j5-8uf2
7
url VCID-fy2u-7r3d-rbbf
vulnerability_id VCID-fy2u-7r3d-rbbf
summary 
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55675
reference_id
reference_type
scores
0
value 0.00094
scoring_system epss
scoring_elements 0.262
published_at 2026-06-07T12:55:00Z
1
value 0.00094
scoring_system epss
scoring_elements 0.26245
published_at 2026-06-06T12:55:00Z
2
value 0.00094
scoring_system epss
scoring_elements 0.2615
published_at 2026-06-09T12:55:00Z
3
value 0.00094
scoring_system epss
scoring_elements 0.26253
published_at 2026-06-05T12:55:00Z
4
value 0.00094
scoring_system epss
scoring_elements 0.26143
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55675
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:47:53Z/
url https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55675
reference_id CVE-2025-55675
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55675
5
reference_url https://github.com/advisories/GHSA-mhpq-m962-mg92
reference_id GHSA-mhpq-m962-mg92
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mhpq-m962-mg92
fixed_packages
0
url pkg:pypi/apache-superset@5.0.0
purl pkg:pypi/apache-superset@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ftpt-n6j5-8uf2
1
vulnerability VCID-hpgv-z5gk-tkhs
2
vulnerability VCID-t415-wgxb-5kbt
3
vulnerability VCID-v1xw-5b4s-cqhx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0
aliases CVE-2025-55675, GHSA-mhpq-m962-mg92
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fy2u-7r3d-rbbf
8
url VCID-hpgv-z5gk-tkhs
vulnerability_id VCID-hpgv-z5gk-tkhs
summary 
Apache Superset allows authenticated users to view sensitive data without explicit permissions
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.
When these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23983
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17558
published_at 2026-06-05T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17451
published_at 2026-06-09T12:55:00Z
2
value 0.00055
scoring_system epss
scoring_elements 0.17434
published_at 2026-06-08T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17514
published_at 2026-06-07T12:55:00Z
4
value 0.00055
scoring_system epss
scoring_elements 0.17552
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23983
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:46:54Z/
url https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww
3
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/7
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/7
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23983
reference_id CVE-2026-23983
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23983
5
reference_url https://github.com/advisories/GHSA-h294-8fxm-m2pj
reference_id GHSA-h294-8fxm-m2pj
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h294-8fxm-m2pj
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23983, GHSA-h294-8fxm-m2pj
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hpgv-z5gk-tkhs
9
url VCID-qjuf-y3k1-yffm
vulnerability_id VCID-qjuf-y3k1-yffm
summary 
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.

This issue affects Apache Superset: <4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53947
reference_id
reference_type
scores
0
value 0.00399
scoring_system epss
scoring_elements 0.61043
published_at 2026-06-05T12:55:00Z
1
value 0.00399
scoring_system epss
scoring_elements 0.6104
published_at 2026-06-09T12:55:00Z
2
value 0.00399
scoring_system epss
scoring_elements 0.61021
published_at 2026-06-08T12:55:00Z
3
value 0.00399
scoring_system epss
scoring_elements 0.61039
published_at 2026-06-07T12:55:00Z
4
value 0.00399
scoring_system epss
scoring_elements 0.61051
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53947
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f
3
reference_url https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:05:04Z/
url https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53947
reference_id CVE-2024-53947
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53947
5
reference_url https://github.com/advisories/GHSA-92qf-8gh3-gwcm
reference_id GHSA-92qf-8gh3-gwcm
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-92qf-8gh3-gwcm
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-35st-tkb8-hkfu
1
vulnerability VCID-8mj1-r3na-zbdx
2
vulnerability VCID-bzqd-gxbh-4kh5
3
vulnerability VCID-cm8z-243v-63h6
4
vulnerability VCID-ftpt-n6j5-8uf2
5
vulnerability VCID-fy2u-7r3d-rbbf
6
vulnerability VCID-hpgv-z5gk-tkhs
7
vulnerability VCID-t415-wgxb-5kbt
8
vulnerability VCID-tn5d-naa3-uuba
9
vulnerability VCID-v1xw-5b4s-cqhx
10
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-53947, GHSA-92qf-8gh3-gwcm
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qjuf-y3k1-yffm
10
url VCID-t415-wgxb-5kbt
vulnerability_id VCID-t415-wgxb-5kbt
summary 
Apache Superset allows privileged users to conduct error-based SQL Injection
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23980
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12666
published_at 2026-06-08T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12785
published_at 2026-06-06T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12781
published_at 2026-06-05T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12697
published_at 2026-06-09T12:55:00Z
4
value 0.00041
scoring_system epss
scoring_elements 0.12748
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23980
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:05:27Z/
url https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4
3
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/5
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23980
reference_id CVE-2026-23980
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23980
5
reference_url https://github.com/advisories/GHSA-gvxg-9hqx-f4rg
reference_id GHSA-gvxg-9hqx-f4rg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gvxg-9hqx-f4rg
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23980, GHSA-gvxg-9hqx-f4rg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t415-wgxb-5kbt
11
url VCID-tn5d-naa3-uuba
vulnerability_id VCID-tn5d-naa3-uuba
summary 
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55672
reference_id
reference_type
scores
0
value 0.0008
scoring_system epss
scoring_elements 0.23811
published_at 2026-06-06T12:55:00Z
1
value 0.0008
scoring_system epss
scoring_elements 0.23716
published_at 2026-06-09T12:55:00Z
2
value 0.0008
scoring_system epss
scoring_elements 0.23826
published_at 2026-06-05T12:55:00Z
3
value 0.0008
scoring_system epss
scoring_elements 0.23711
published_at 2026-06-08T12:55:00Z
4
value 0.0008
scoring_system epss
scoring_elements 0.23765
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55672
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:52:16Z/
url https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/4
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55672
reference_id CVE-2025-55672
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55672
5
reference_url https://github.com/advisories/GHSA-fj97-2v9x-w5m4
reference_id GHSA-fj97-2v9x-w5m4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fj97-2v9x-w5m4
fixed_packages
0
url pkg:pypi/apache-superset@5.0.0
purl pkg:pypi/apache-superset@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ftpt-n6j5-8uf2
1
vulnerability VCID-hpgv-z5gk-tkhs
2
vulnerability VCID-t415-wgxb-5kbt
3
vulnerability VCID-v1xw-5b4s-cqhx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0
aliases CVE-2025-55672, GHSA-fj97-2v9x-w5m4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tn5d-naa3-uuba
12
url VCID-v1xw-5b4s-cqhx
vulnerability_id VCID-v1xw-5b4s-cqhx
summary 
Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections
An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.
While the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23984
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12742
published_at 2026-06-08T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12867
published_at 2026-06-06T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12862
published_at 2026-06-05T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12772
published_at 2026-06-09T12:55:00Z
4
value 0.00041
scoring_system epss
scoring_elements 0.12828
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23984
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:51:19Z/
url https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26
3
reference_url http://www.openwall.com/lists/oss-security/2026/02/24/8
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2026/02/24/8
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23984
reference_id CVE-2026-23984
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23984
5
reference_url https://github.com/advisories/GHSA-mwf2-qr4v-94h2
reference_id GHSA-mwf2-qr4v-94h2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mwf2-qr4v-94h2
fixed_packages
0
url pkg:pypi/apache-superset@6.0.0
purl pkg:pypi/apache-superset@6.0.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0
aliases CVE-2026-23984, GHSA-mwf2-qr4v-94h2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v1xw-5b4s-cqhx
13
url VCID-x5yk-adk3-b7g8
vulnerability_id VCID-x5yk-adk3-b7g8
summary 
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access
Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-55633
reference_id
reference_type
scores
0
value 0.01043
scoring_system epss
scoring_elements 0.77833
published_at 2026-06-05T12:55:00Z
1
value 0.01043
scoring_system epss
scoring_elements 0.77838
published_at 2026-06-09T12:55:00Z
2
value 0.01043
scoring_system epss
scoring_elements 0.7782
published_at 2026-06-08T12:55:00Z
3
value 0.01043
scoring_system epss
scoring_elements 0.7783
published_at 2026-06-07T12:55:00Z
4
value 0.01043
scoring_system epss
scoring_elements 0.7784
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-55633
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-12T15:27:53Z/
url https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb
3
reference_url http://www.openwall.com/lists/oss-security/2024/12/12/1
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2024/12/12/1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-55633
reference_id CVE-2024-55633
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-55633
5
reference_url https://github.com/advisories/GHSA-787v-v9vq-4rgv
reference_id GHSA-787v-v9vq-4rgv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-787v-v9vq-4rgv
fixed_packages
0
url pkg:pypi/apache-superset@4.1.0
purl pkg:pypi/apache-superset@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-35st-tkb8-hkfu
1
vulnerability VCID-8mj1-r3na-zbdx
2
vulnerability VCID-bzqd-gxbh-4kh5
3
vulnerability VCID-cm8z-243v-63h6
4
vulnerability VCID-ftpt-n6j5-8uf2
5
vulnerability VCID-fy2u-7r3d-rbbf
6
vulnerability VCID-hpgv-z5gk-tkhs
7
vulnerability VCID-t415-wgxb-5kbt
8
vulnerability VCID-tn5d-naa3-uuba
9
vulnerability VCID-v1xw-5b4s-cqhx
10
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0
aliases CVE-2024-55633, GHSA-787v-v9vq-4rgv
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x5yk-adk3-b7g8
14
url VCID-ys7s-ahtc-c3hg
vulnerability_id VCID-ys7s-ahtc-c3hg
summary 
Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55674
reference_id
reference_type
scores
0
value 0.0014
scoring_system epss
scoring_elements 0.33817
published_at 2026-06-07T12:55:00Z
1
value 0.0014
scoring_system epss
scoring_elements 0.33851
published_at 2026-06-06T12:55:00Z
2
value 0.0014
scoring_system epss
scoring_elements 0.33809
published_at 2026-06-09T12:55:00Z
3
value 0.0014
scoring_system epss
scoring_elements 0.33835
published_at 2026-06-05T12:55:00Z
4
value 0.0014
scoring_system epss
scoring_elements 0.33784
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55674
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:49:40Z/
url https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo
3
reference_url http://www.openwall.com/lists/oss-security/2025/08/14/5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/08/14/5
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55674
reference_id CVE-2025-55674
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55674
5
reference_url https://github.com/advisories/GHSA-fxgf-3xh6-m2pp
reference_id GHSA-fxgf-3xh6-m2pp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fxgf-3xh6-m2pp
fixed_packages
0
url pkg:pypi/apache-superset@5.0.0
purl pkg:pypi/apache-superset@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ftpt-n6j5-8uf2
1
vulnerability VCID-hpgv-z5gk-tkhs
2
vulnerability VCID-t415-wgxb-5kbt
3
vulnerability VCID-v1xw-5b4s-cqhx
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0
aliases CVE-2025-55674, GHSA-fxgf-3xh6-m2pp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ys7s-ahtc-c3hg
Fixing_vulnerabilities
0
url VCID-q3qz-uq7w-j3gy
vulnerability_id VCID-q3qz-uq7w-j3gy
summary 
Apache Superset vulnerable to improper SQL authorization
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.

This issue affects Apache Superset: before 4.0.2.

Users are recommended to upgrade to version 4.0.2, which fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-39887
reference_id
reference_type
scores
0
value 0.60251
scoring_system epss
scoring_elements 0.98309
published_at 2026-06-05T12:55:00Z
1
value 0.61396
scoring_system epss
scoring_elements 0.98348
published_at 2026-06-09T12:55:00Z
2
value 0.61396
scoring_system epss
scoring_elements 0.98349
published_at 2026-06-07T12:55:00Z
3
value 0.61396
scoring_system epss
scoring_elements 0.9835
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-39887
1
reference_url https://github.com/apache/superset
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset
2
reference_url https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506
3
reference_url https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/
url https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz
4
reference_url http://www.openwall.com/lists/oss-security/2024/07/16/5
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/
url http://www.openwall.com/lists/oss-security/2024/07/16/5
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39887
reference_id CVE-2024-39887
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39887
6
reference_url https://github.com/advisories/GHSA-2q6j-vpvr-6pvj
reference_id GHSA-2q6j-vpvr-6pvj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2q6j-vpvr-6pvj
fixed_packages
0
url pkg:pypi/apache-superset@4.0.2
purl pkg:pypi/apache-superset@4.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2gr1-bbms-4qcv
1
vulnerability VCID-35st-tkb8-hkfu
2
vulnerability VCID-8mj1-r3na-zbdx
3
vulnerability VCID-bzqd-gxbh-4kh5
4
vulnerability VCID-cm8z-243v-63h6
5
vulnerability VCID-fnqj-j4xk-xbdv
6
vulnerability VCID-ftpt-n6j5-8uf2
7
vulnerability VCID-fy2u-7r3d-rbbf
8
vulnerability VCID-hpgv-z5gk-tkhs
9
vulnerability VCID-qjuf-y3k1-yffm
10
vulnerability VCID-t415-wgxb-5kbt
11
vulnerability VCID-tn5d-naa3-uuba
12
vulnerability VCID-v1xw-5b4s-cqhx
13
vulnerability VCID-x5yk-adk3-b7g8
14
vulnerability VCID-ys7s-ahtc-c3hg
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2
aliases CVE-2024-39887, GHSA-2q6j-vpvr-6pvj
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q3qz-uq7w-j3gy
Risk_score4.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2