VYPR

Superset

by Apache

pypi: superset

Source repositories

CVEs (63)

  • CVE-2023-27524KEVApr 24, 2023
    risk 0.16cvss epss 0.97

    Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not…

  • CVE-2023-37941Sep 6, 2023
    risk 0.10cvss epss 0.29

    If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only…

  • CVE-2023-39265Sep 6, 2023
    risk 0.09cvss epss 0.84

    Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if…

  • CVE-2021-44451Feb 1, 2022
    risk 0.07cvss epss 0.08

    Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.

  • CVE-2024-34693Jun 20, 2024
    risk 0.01cvss epss 0.02

    Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile,…

  • CVE-2026-23969Feb 24, 2026
    risk 0.00cvss epss 0.01

    Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the…

  • CVE-2026-23980Feb 24, 2026
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset:…

  • CVE-2026-23982Feb 24, 2026
    risk 0.00cvss epss 0.00

    An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker…

  • CVE-2026-23983Feb 24, 2026
    risk 0.00cvss epss 0.00

    A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag. When these associated objects…

  • CVE-2026-23984Feb 24, 2026
    risk 0.00cvss epss 0.00

    An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation…

  • CVE-2025-55675Aug 14, 2025
    risk 0.00cvss epss 0.00

    Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL,…

  • CVE-2025-55674Aug 14, 2025
    risk 0.00cvss epss 0.01

    A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended…

  • CVE-2025-55672Aug 14, 2025
    risk 0.00cvss epss 0.01

    A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's…

  • CVE-2025-55673Aug 14, 2025
    risk 0.00cvss epss 0.01

    When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the…

  • CVE-2025-48912May 30, 2025
    risk 0.00cvss epss 0.01

    An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. …

  • CVE-2025-27696May 13, 2025
    risk 0.00cvss epss 0.01

    Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissions. This issue affects Apache Superset: through 4.1.1. Users are recommended to upgrade to version 4.1.2 or above,…

  • CVE-2024-55633Dec 12, 2024
    risk 0.00cvss epss 0.03

    Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database…

  • CVE-2024-53949Dec 9, 2024
    risk 0.00cvss epss 0.01

    Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.  issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0,…

  • CVE-2024-53948Dec 9, 2024
    risk 0.00cvss epss 0.01

    Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

  • CVE-2024-53947Dec 9, 2024
    risk 0.00cvss epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up…

Page 1 of 4