VYPR

apk package

chainguard/superset-4.1-iamguarded-compat

pkg:apk/chainguard/superset-4.1-iamguarded-compat

Vulnerabilities (9)

  • CVE-2025-69277MedDec 31, 2025
    affected < 4.1.4-r5fixed 4.1.4-r5

    libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g

  • CVE-2025-68480MedDec 22, 2025
    affected < 4.1.4-r4fixed 4.1.4-r4

    Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request

  • CVE-2025-66221Nov 29, 2025
    affected < 4.1.4-r3fixed 4.1.4-r3

    Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc

  • CVE-2025-6176HigOct 31, 2025
    affected < 4.1.4-r2fixed 4.1.4-r2

    Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less

  • CVE-2025-58065Sep 11, 2025
    affected < 4.1.4-r1fixed 4.1.4-r1

    Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in th

  • CVE-2025-55675Aug 14, 2025
    affected < 4.1.4-r2fixed 4.1.4-r2

    Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL,

  • CVE-2025-55674Aug 14, 2025
    affected < 4.1.4-r2fixed 4.1.4-r2

    A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to

  • CVE-2025-55672Aug 14, 2025
    affected < 4.1.4-r2fixed 4.1.4-r2

    A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's b

  • CVE-2025-55673Aug 14, 2025
    affected < 0fixed 0

    When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privilege