Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/82190?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/82190?format=api", "purl": "pkg:pypi/apache-superset@4.0.2", "type": "pypi", "namespace": "", "name": "apache-superset", "version": "4.0.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "6.0.0", "latest_non_vulnerable_version": "6.0.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56324?format=api", "vulnerability_id": "VCID-2gr1-bbms-4qcv", "summary": "Apache Superset: Error verbosity exposes metadata in analytics databases\nGeneration of Error Message Containing analytics metadata Information in Apache Superset.\n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53948", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38459", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38416", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38405", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38434", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00172", "scoring_system": "epss", "scoring_elements": "0.38462", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53948" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c" }, { "reference_url": "https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:04:23Z/" } ], "url": "https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/09/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/09/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53948", "reference_id": "CVE-2024-53948", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53948" }, { "reference_url": "https://github.com/advisories/GHSA-2cx9-54hp-r698", "reference_id": "GHSA-2cx9-54hp-r698", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cx9-54hp-r698" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83473?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35st-tkb8-hkfu" }, { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-bzqd-gxbh-4kh5" }, { "vulnerability": "VCID-cm8z-243v-63h6" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53948", "GHSA-2cx9-54hp-r698" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2gr1-bbms-4qcv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57377?format=api", "vulnerability_id": "VCID-35st-tkb8-hkfu", "summary": "Apache Superset: Improper authorization bypass on row level security via SQL Injection\nAn authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48912", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56677", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56688", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.5668", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56682", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56662", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-48912" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-30T12:55:47Z/" } ], "url": "https://lists.apache.org/thread/ms2t2oq218hb7l628trsogo4fj7h1135" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/05/30/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/05/30/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48912", "reference_id": "CVE-2025-48912", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48912" }, { "reference_url": "https://github.com/advisories/GHSA-8w7f-8pr9-xgwj", "reference_id": "GHSA-8w7f-8pr9-xgwj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8w7f-8pr9-xgwj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74210?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2025-48912", "GHSA-8w7f-8pr9-xgwj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-35st-tkb8-hkfu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57839?format=api", "vulnerability_id": "VCID-8mj1-r3na-zbdx", "summary": "Apache Superset data query improperly discloses database schema information to low-privileged guest user\nWhen a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user.\n\nThis issue affects Apache Superset: before 4.1.3.\n\nUsers are recommended to upgrade to version 4.1.3, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55673", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56137", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56149", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.5614", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56143", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.5612", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55673" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-14T14:02:38Z/" } ], "url": "https://lists.apache.org/thread/h2hw756wk4sj4z49blvzkr5fntl9hlf8" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55673", "reference_id": "CVE-2025-55673", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55673" }, { "reference_url": "https://github.com/advisories/GHSA-9g5x-mm39-wg9r", "reference_id": "GHSA-9g5x-mm39-wg9r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9g5x-mm39-wg9r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86078?format=api", "purl": "pkg:pypi/apache-superset@4.1.3.post1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.3.post1" } ], "aliases": [ "CVE-2025-55673", "GHSA-9g5x-mm39-wg9r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8mj1-r3na-zbdx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57286?format=api", "vulnerability_id": "VCID-bzqd-gxbh-4kh5", "summary": "Apache Superset Allows Ownership Takeover\nImproper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions.\n\nThis issue affects Apache Superset: through 4.1.1.\n\nUsers are recommended to upgrade to version 4.1.2 or above, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27696", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23557", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23445", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.2344", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23495", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23541", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27696" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/fc844d3dfdace890b32c00a507a959b81122b425" }, { "reference_url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-13T13:15:33Z/" } ], "url": "https://lists.apache.org/thread/k2od03bxnxs6vcp80sr03ywcxl194413" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/05/12/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/05/12/3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696", "reference_id": "CVE-2025-27696", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27696" }, { "reference_url": "https://github.com/advisories/GHSA-w6c7-j32f-rq8j", "reference_id": "GHSA-w6c7-j32f-rq8j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w6c7-j32f-rq8j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74210?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2025-27696", "GHSA-w6c7-j32f-rq8j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bzqd-gxbh-4kh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50312?format=api", "vulnerability_id": "VCID-cm8z-243v-63h6", "summary": "Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine\nApache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23969", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21402", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21509", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21522", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21412", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21461", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23969" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:03:24Z/" } ], "url": "https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23969", "reference_id": "CVE-2026-23969", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23969" }, { "reference_url": "https://github.com/advisories/GHSA-48m2-v2r8-h23m", "reference_id": "GHSA-48m2-v2r8-h23m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-48m2-v2r8-h23m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74210?format=api", "purl": "pkg:pypi/apache-superset@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.2" } ], "aliases": [ "CVE-2026-23969", "GHSA-48m2-v2r8-h23m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cm8z-243v-63h6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56317?format=api", "vulnerability_id": "VCID-fnqj-j4xk-xbdv", "summary": "Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled\nImproper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.\n\nissue affects Apache Superset: from 2.0.0 before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53949", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56634", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56632", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56614", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56628", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.5664", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53949" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7" }, { "reference_url": "https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-09T15:01:51Z/" } ], "url": "https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/09/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/09/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53949", "reference_id": "CVE-2024-53949", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53949" }, { "reference_url": "https://github.com/advisories/GHSA-35fc-9hrj-3585", "reference_id": "GHSA-35fc-9hrj-3585", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-35fc-9hrj-3585" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83473?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35st-tkb8-hkfu" }, { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-bzqd-gxbh-4kh5" }, { "vulnerability": "VCID-cm8z-243v-63h6" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53949", "GHSA-35fc-9hrj-3585" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fnqj-j4xk-xbdv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50336?format=api", "vulnerability_id": "VCID-ftpt-n6j5-8uf2", "summary": "Apache Superset Improper Authorization allows low-privileged users to bypass access controls\nAn Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23982", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.1342", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13337", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13305", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13385", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13426", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23982" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:44:20Z/" } ], "url": "https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23982", "reference_id": "CVE-2026-23982", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23982" }, { "reference_url": "https://github.com/advisories/GHSA-3m2g-v7jf-7fxc", "reference_id": "GHSA-3m2g-v7jf-7fxc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3m2g-v7jf-7fxc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74227?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23982", "GHSA-3m2g-v7jf-7fxc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ftpt-n6j5-8uf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57848?format=api", "vulnerability_id": "VCID-fy2u-7r3d-rbbf", "summary": "Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access\nApache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55675", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.262", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26245", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.2615", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26253", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26143", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55675" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:47:53Z/" } ], "url": "https://lists.apache.org/thread/op681b4kbd7g84tfjf9omz0sxggbcv33" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55675", "reference_id": "CVE-2025-55675", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55675" }, { "reference_url": "https://github.com/advisories/GHSA-mhpq-m962-mg92", "reference_id": "GHSA-mhpq-m962-mg92", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mhpq-m962-mg92" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86086?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55675", "GHSA-mhpq-m962-mg92" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fy2u-7r3d-rbbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50340?format=api", "vulnerability_id": "VCID-hpgv-z5gk-tkhs", "summary": "Apache Superset allows authenticated users to view sensitive data without explicit permissions\nA Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.\nWhen these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23983", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17558", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17451", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17434", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17514", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17552", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23983" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:46:54Z/" } ], "url": "https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/7", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23983", "reference_id": "CVE-2026-23983", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23983" }, { "reference_url": "https://github.com/advisories/GHSA-h294-8fxm-m2pj", "reference_id": "GHSA-h294-8fxm-m2pj", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h294-8fxm-m2pj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74227?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23983", "GHSA-h294-8fxm-m2pj" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hpgv-z5gk-tkhs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56318?format=api", "vulnerability_id": "VCID-qjuf-y3k1-yffm", "summary": "Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions\nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.\n\nThis issue affects Apache Superset: <4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53947", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61043", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.6104", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61021", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61039", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.61051", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53947" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f" }, { "reference_url": "https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-09T15:05:04Z/" } ], "url": "https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53947", "reference_id": "CVE-2024-53947", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53947" }, { "reference_url": "https://github.com/advisories/GHSA-92qf-8gh3-gwcm", "reference_id": "GHSA-92qf-8gh3-gwcm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-92qf-8gh3-gwcm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83473?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35st-tkb8-hkfu" }, { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-bzqd-gxbh-4kh5" }, { "vulnerability": "VCID-cm8z-243v-63h6" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-53947", "GHSA-92qf-8gh3-gwcm" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qjuf-y3k1-yffm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50343?format=api", "vulnerability_id": "VCID-t415-wgxb-5kbt", "summary": "Apache Superset allows privileged users to conduct error-based SQL Injection\nImproper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23980", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12666", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12785", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12781", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12697", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12748", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23980" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:05:27Z/" } ], "url": "https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23980", "reference_id": "CVE-2026-23980", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23980" }, { "reference_url": "https://github.com/advisories/GHSA-gvxg-9hqx-f4rg", "reference_id": "GHSA-gvxg-9hqx-f4rg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gvxg-9hqx-f4rg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74227?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23980", "GHSA-gvxg-9hqx-f4rg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t415-wgxb-5kbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57856?format=api", "vulnerability_id": "VCID-tn5d-naa3-uuba", "summary": "Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability\nA stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55672", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23811", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23716", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23826", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23711", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23765", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55672" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:52:16Z/" } ], "url": "https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55672", "reference_id": "CVE-2025-55672", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55672" }, { "reference_url": "https://github.com/advisories/GHSA-fj97-2v9x-w5m4", "reference_id": "GHSA-fj97-2v9x-w5m4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fj97-2v9x-w5m4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86086?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55672", "GHSA-fj97-2v9x-w5m4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tn5d-naa3-uuba" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50351?format=api", "vulnerability_id": "VCID-v1xw-5b4s-cqhx", "summary": "Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections\nAn Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.\nWhile the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23984", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12742", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12867", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12862", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12772", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12828", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23984" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T15:51:19Z/" } ], "url": "https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/24/8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/24/8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23984", "reference_id": "CVE-2026-23984", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23984" }, { "reference_url": "https://github.com/advisories/GHSA-mwf2-qr4v-94h2", "reference_id": "GHSA-mwf2-qr4v-94h2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mwf2-qr4v-94h2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74227?format=api", "purl": "pkg:pypi/apache-superset@6.0.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@6.0.0" } ], "aliases": [ "CVE-2026-23984", "GHSA-mwf2-qr4v-94h2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v1xw-5b4s-cqhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56346?format=api", "vulnerability_id": "VCID-x5yk-adk3-b7g8", "summary": "Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access\nImproper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.\n\nThis issue affects Apache Superset: before 4.1.0.\n\nUsers are recommended to upgrade to version 4.1.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55633", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77833", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.77838", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.7782", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.7783", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01043", "scoring_system": "epss", "scoring_elements": "0.7784", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55633" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-12T15:27:53Z/" } ], "url": "https://lists.apache.org/thread/bwmd17fcvljt9q4cgctp4v09zh3qs7fb" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/12/12/1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2024/12/12/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55633", "reference_id": "CVE-2024-55633", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55633" }, { "reference_url": "https://github.com/advisories/GHSA-787v-v9vq-4rgv", "reference_id": "GHSA-787v-v9vq-4rgv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-787v-v9vq-4rgv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83473?format=api", "purl": "pkg:pypi/apache-superset@4.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-35st-tkb8-hkfu" }, { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-bzqd-gxbh-4kh5" }, { "vulnerability": "VCID-cm8z-243v-63h6" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.1.0" } ], "aliases": [ "CVE-2024-55633", "GHSA-787v-v9vq-4rgv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x5yk-adk3-b7g8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57858?format=api", "vulnerability_id": "VCID-ys7s-ahtc-c3hg", "summary": "Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions\nA bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version.\n\nThis issue affects Apache Superset: before 5.0.0.\n\nUsers are recommended to upgrade to version 5.0.0, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55674", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33817", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33851", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33809", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33835", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33784", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-55674" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-14T13:49:40Z/" } ], "url": "https://lists.apache.org/thread/cn49ps15ny3g2b1qzdg5mj7hp47p5jdo" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2025/08/14/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2025/08/14/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55674", "reference_id": "CVE-2025-55674", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55674" }, { "reference_url": "https://github.com/advisories/GHSA-fxgf-3xh6-m2pp", "reference_id": "GHSA-fxgf-3xh6-m2pp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fxgf-3xh6-m2pp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86086?format=api", "purl": "pkg:pypi/apache-superset@5.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@5.0.0" } ], "aliases": [ "CVE-2025-55674", "GHSA-fxgf-3xh6-m2pp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ys7s-ahtc-c3hg" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55523?format=api", "vulnerability_id": "VCID-q3qz-uq7w-j3gy", "summary": "Apache Superset vulnerable to improper SQL authorization\nAn SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions: version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.\n\nThis issue affects Apache Superset: before 4.0.2.\n\nUsers are recommended to upgrade to version 4.0.2, which fixes the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39887", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.60251", "scoring_system": "epss", "scoring_elements": "0.98309", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98348", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.98349", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.61396", "scoring_system": "epss", "scoring_elements": "0.9835", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39887" }, { "reference_url": "https://github.com/apache/superset", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset" }, { "reference_url": "https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/superset/commit/56f0103b5771d477dd106272abbd8021c9ea7506" }, { "reference_url": "https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/" } ], "url": "https://lists.apache.org/thread/j55vm41jg3l0x6w49zrmvbf3k0ts5fqz" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2024/07/16/5", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:48:36Z/" } ], "url": "http://www.openwall.com/lists/oss-security/2024/07/16/5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39887", "reference_id": "CVE-2024-39887", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39887" }, { "reference_url": "https://github.com/advisories/GHSA-2q6j-vpvr-6pvj", "reference_id": "GHSA-2q6j-vpvr-6pvj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2q6j-vpvr-6pvj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82190?format=api", "purl": "pkg:pypi/apache-superset@4.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2gr1-bbms-4qcv" }, { "vulnerability": "VCID-35st-tkb8-hkfu" }, { "vulnerability": "VCID-8mj1-r3na-zbdx" }, { "vulnerability": "VCID-bzqd-gxbh-4kh5" }, { "vulnerability": "VCID-cm8z-243v-63h6" }, { "vulnerability": "VCID-fnqj-j4xk-xbdv" }, { "vulnerability": "VCID-ftpt-n6j5-8uf2" }, { "vulnerability": "VCID-fy2u-7r3d-rbbf" }, { "vulnerability": "VCID-hpgv-z5gk-tkhs" }, { "vulnerability": "VCID-qjuf-y3k1-yffm" }, { "vulnerability": "VCID-t415-wgxb-5kbt" }, { "vulnerability": "VCID-tn5d-naa3-uuba" }, { "vulnerability": "VCID-v1xw-5b4s-cqhx" }, { "vulnerability": "VCID-x5yk-adk3-b7g8" }, { "vulnerability": "VCID-ys7s-ahtc-c3hg" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2" } ], "aliases": [ "CVE-2024-39887", "GHSA-2q6j-vpvr-6pvj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q3qz-uq7w-j3gy" } ], "risk_score": "4.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/apache-superset@4.0.2" }