Apache Superset: Stored XSS on charts metadata
Description
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Apache Superset chart labels allows authenticated attackers with edit permissions to execute arbitrary JavaScript when victims hover over charts, risking session hijacking.
Vulnerability
Overview A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. The root cause is improper sanitization of column labels in chart metadata. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. When other users view the chart and hover over the affected element, the payload executes in their browser [1][3].
Exploitation
Conditions To exploit this vulnerability, an attacker must be an authenticated user with permissions to edit charts. No special network access or elevated privileges beyond chart editing are required. The attack does not require user interaction beyond normal chart viewing; simply hovering over the chart triggers the payload. The stored nature of the XSS means the malicious content persists until removed [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data, or performing actions on behalf of the victim within the application. The impact is limited to the browser context of the victim, but can compromise the confidentiality and integrity of data accessible through the Superset interface [1][3].
Mitigation
The vulnerability affects Apache Superset versions before 5.0.0. Users are recommended to upgrade to version 5.0.0, which contains the fix that properly sanitizes column labels. No workarounds are mentioned in the advisories. The issue was reported by Pedro Sousa (coordinator), Jobar (finder), and Mehmet Yavuz (remediation developer) [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apache-supersetPyPI | < 5.0.0 | 5.0.0 |
Affected products
2- Apache Software Foundation/Apache Supersetv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-fj97-2v9x-w5m4ghsaADVISORY
- lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdjghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55672ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/14/4ghsaWEB
News mentions
0No linked articles in our index yet.