VYPR

apk package

wolfi/superset-4.1

pkg:apk/wolfi/superset-4.1

Vulnerabilities (7)

  • CVE-2026-21860Jan 8, 2026
    affected < 4.1.4-r7fixed 4.1.4-r7

    Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are i

  • CVE-2025-69277MedDec 31, 2025
    affected < 4.1.4-r6fixed 4.1.4-r6

    libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g

  • CVE-2025-68480MedDec 22, 2025
    affected < 4.1.4-r4fixed 4.1.4-r4

    Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request

  • CVE-2025-66221Nov 29, 2025
    affected < 4.1.4-r3fixed 4.1.4-r3

    Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc

  • CVE-2025-6176HigOct 31, 2025
    affected < 4.1.4-r2fixed 4.1.4-r2

    Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less

  • CVE-2025-58065Sep 11, 2025
    affected < 4.1.4-r1fixed 4.1.4-r1

    Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in th

  • CVE-2025-55673Aug 14, 2025
    affected < 0fixed 0

    When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privilege