VYPR
Moderate severityNVD Advisory· Published Aug 14, 2025· Updated Nov 4, 2025

Apache Superset: Stored XSS on charts metadata

CVE-2025-55672

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
apache-supersetPyPI
< 5.0.05.0.0

Affected products

7

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.