apk package
chainguard/superset-4.1-entrypoint
pkg:apk/chainguard/superset-4.1-entrypoint
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-69277 | Med | 4.5 | < 4.1.4-r5 | 4.1.4-r5 | Dec 31, 2025 | libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g | |
| CVE-2025-68480 | Med | 5.3 | < 4.1.4-r4 | 4.1.4-r4 | Dec 22, 2025 | Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request | |
| CVE-2025-66221 | — | < 4.1.4-r3 | 4.1.4-r3 | Nov 29, 2025 | Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc | ||
| CVE-2025-6176 | Hig | 7.5 | < 4.1.4-r2 | 4.1.4-r2 | Oct 31, 2025 | Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less | |
| CVE-2025-58065 | — | < 4.1.4-r1 | 4.1.4-r1 | Sep 11, 2025 | Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in th | ||
| CVE-2025-55675 | — | < 4.1.4-r2 | 4.1.4-r2 | Aug 14, 2025 | Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, | ||
| CVE-2025-55674 | — | < 4.1.4-r2 | 4.1.4-r2 | Aug 14, 2025 | A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to | ||
| CVE-2025-55672 | — | < 4.1.4-r2 | 4.1.4-r2 | Aug 14, 2025 | A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's b | ||
| CVE-2025-55673 | — | < 0 | 0 | Aug 14, 2025 | When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privilege |
- affected < 4.1.4-r5fixed 4.1.4-r5
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g
- affected < 4.1.4-r4fixed 4.1.4-r4
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request
- CVE-2025-66221Nov 29, 2025affected < 4.1.4-r3fixed 4.1.4-r3
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc
- affected < 4.1.4-r2fixed 4.1.4-r2
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less
- CVE-2025-58065Sep 11, 2025affected < 4.1.4-r1fixed 4.1.4-r1
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in th
- CVE-2025-55675Aug 14, 2025affected < 4.1.4-r2fixed 4.1.4-r2
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL,
- CVE-2025-55674Aug 14, 2025affected < 4.1.4-r2fixed 4.1.4-r2
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to
- CVE-2025-55672Aug 14, 2025affected < 4.1.4-r2fixed 4.1.4-r2
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's b
- CVE-2025-55673Aug 14, 2025affected < 0fixed 0
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privilege