Apache Superset stored XSS on Dashboard markdown
Description
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javascript code will be automatically executed (Stored XSS) when a legitimate user surfs on the dashboard page. The vulnerability is exploitable creating a “div” section and embedding in it a “svg” element with javascript code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Superset ≤0.38.0 contains a stored XSS vulnerability via malicious JavaScript in Markdown dashboard components.
Apache Superset up to and including version 0.38.0 allowed users to create Markdown components on dashboard pages for describing chart-related information. This functionality lacked proper input sanitization, enabling an attacker to inject arbitrary JavaScript code into a Markdown element [1][4]. The vulnerability is exploited by crafting a "div" section and embedding within it an "svg" element containing malicious JavaScript [1].
To trigger the attack, the attacker must have the ability to create or edit dashboards, which typically requires authenticated access with at least editor-level privileges. Once a dashboard containing the malicious Markdown component is visited by any legitimate user, the injected JavaScript executes automatically in the context of the victim's browser [1]. This is a classic stored (persistent) cross-site scripting (XSS) attack.
Successful exploitation allows the attacker to perform arbitrary actions in the victim's browser session, such as stealing session cookies, exfiltrating sensitive data displayed on the dashboard, performing actions on behalf of the user, or defacing the dashboard page [1]. The impact is limited by the privileges of the viewing user but can lead to compromise of the Superset instance and its data.
Apache released a patched version to address this vulnerability. Users are strongly advised to upgrade to a version later than 0.38.0. No workaround is mentioned in the available references, so upgrading is the recommended mitigation [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 0.38.1 | 0.38.1 |
Affected products
3- osv-coords2 versions
< 0.38.1+ 1 more
- (no CPE)range: < 0.38.1
- (no CPE)range: < 0.38.1
- Apache Software Foundation/Apache Supersetv5Range: Apache Superset
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-w358-rj93-r5qvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27907ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/apache-superset/PYSEC-2021-127.yamlghsaWEB
- lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9bc5c1873bea67a%40%3Cdev.superset.apache.org%3Eghsax_refsource_MISCmailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r09293fb09f1d617f0d2180c42210e739e2211f8da9bc5c1873bea67a@%3Cdev.superset.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.