pkg:PyPI/apache-superset

All known vulnerabilities

• HIGH8.9CVE-2023-27524⚠ KEVApache superset missing check for default SECRET_KEY
  from 0, < 2.1.0
• CRITICAL9.8CVE-2024-53947Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
  from 0, < 4.1.0
• CRITICAL9.8CVE-2022-27479SQL injection vulnerability in chart data API
  from 0, < 1.4.2
• CRITICAL9.8CVE-2022-27479SQL injection vulnerability in chart data API
  from 0, < 1.4.2
• CRITICAL9.6CVE-2023-49657Apache Superset: Stored XSS in Dashboard Title and Chart Title
  from 0, < 3.0.3
• HIGH8.8CVE-2025-27696Apache Superset: Incorrect authorization leading to resource ownership takeover
  from 0, < 4.1.2
• HIGH8.8CVE-2022-43719Apache Superset: Cross Site Request Forgery (CSRF) on accept, request access API
  from 0, <= 1.5.2
• HIGH8.8CVE-2020-13948Apache Superset OS Command Injection
  from 0, < 0.37.1
• HIGH8.8CVE-2020-13948Apache Superset OS Command Injection
  from 0, < 0.37.1
• HIGH8.8CVE-2021-41971Possible SQL Injection when template processing is enabled
  from 0, < 1.3.1
• HIGH8.8CVE-2021-41971Possible SQL Injection when template processing is enabled
  from 0, < 1.3.1
• HIGH8.1CVE-2020-13952Plaintext password leak in Apache Superset
  from 0, < 0.37.2
• HIGH8.1CVE-2020-13952Plaintext password leak in Apache Superset
  from 0, < 0.37.2
• HIGH7.7CVE-2023-49734Apache Superset: Privilege Escalation Vulnerability
  from 0, < 2.1.3
• HIGH7.3CVE-2023-40610Apache Superset - Elevation of Privilege
  from 0, < 2.1.2
• MEDIUM6.8CVE-2024-34693Apache Superset: Server arbitrary file read
  from 0, < 3.1.3
• MEDIUM6.6CVE-2023-37941Apache Superset: Metadata db write access can lead to remote code execution
  >= 1.5.0, < 2.1.1
• MEDIUM6.5CVE-2024-55633Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access
  from 0, < 4.1.0
• MEDIUM6.5CVE-2024-53949Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled
  >= 2.0.0, < 4.1.0
• MEDIUM6.5CVE-2023-49736Apache Superset: SQL Injection on where_in JINJA macro
  from 0, < 2.1.3
• MEDIUM6.5CVE-2023-46104Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb
  from 0, < 2.1.2
• MEDIUM6.5CVE-2023-42504Apache Superset: Lack of rate limiting allows for possible denial of service
  from 0, < 3.0.0
• MEDIUM6.5CVE-2023-39265Apache Superset: Possible Unauthorized Registration of SQLite Database Connections
  from 0, <= 2.1.0
• MEDIUM6.5CVE-2023-30776Apache Superset: Database connection password leak
  >= 1.3.0, < 2.1.0
• MEDIUM6.5CVE-2023-25504Apache Superset: Possible SSRF on import datasets
  from 0, < 2.1.0
• MEDIUM6.5CVE-2021-42250Possible log injection
  from 0, < 1.3.2
• MEDIUM6.5CVE-2021-42250Possible log injection
  from 0, < 1.3.2
• MEDIUM6.5CVE-2021-41972Credentials leak
  from 0, < 1.3.2
• MEDIUM6.5CVE-2021-41972Credentials leak
  from 0, < 1.3.2
• MEDIUM6.5CVE-2021-44451API sensitive information leak
  from 0, < 1.4.0
• MEDIUM6.5CVE-2021-44451API sensitive information leak
  from 0, < 1.4.0
• MEDIUM6.5CVE-2020-1932Information disclosure in Apache Superset
  from 0, < 0.35.2
• MEDIUM6.5CVE-2020-1932Information disclosure in Apache Superset
  >= 0.34.0, < 0.35.2
• MEDIUM6.1CVE-2021-28125Apache Superset Open Redirect
  from 0, < 1.1.0
• MEDIUM6.1CVE-2021-28125Apache Superset Open Redirect
  from 0, < 1.1.0
• MEDIUM5.4CVE-2023-42502Apache Superset: Open Redirect Vulnerability
  from 0, < 3.0.0
• MEDIUM5.4CVE-2023-36387Apache Superset: Improper API permission for low privilege users
  from 0, <= 2.1.0
• MEDIUM5.4CVE-2022-43717Apache Superset: Cross-Site Scripting on dashboards
  from 0, <= 1.5.2
• MEDIUM5.4CVE-2022-41703Apache Superset: SQL injection vulnerability in adhoc clauses
  from 0, <= 1.5.2
• MEDIUM5.4CVE-2022-43718Apache Superset: Cross-Site Scripting vulnerability on upload forms
  from 0, <= 1.5.2
• MEDIUM5.4CVE-2022-43720Apache Superset: Improper rendering of user input
  from 0, <= 1.5.2
• MEDIUM5.4CVE-2022-43721Apache Superset: Open Redirect Vulnerability
  from 0, <= 1.5.2
• MEDIUM5.4CVE-2021-27907Apache Superset stored XSS on Dashboard markdown
  from 0, < 0.38.1
• MEDIUM5.4CVE-2021-27907Apache Superset stored XSS on Dashboard markdown
  from 0, < 0.38.1
• MEDIUM5.4CVE-2021-32609XSS vulnerability on Explore page
  from 0, < 1.2.0
• MEDIUM5.4CVE-2021-32609XSS vulnerability on Explore page
  from 0, < 1.2.0
• MEDIUM5.3CVE-2024-53948Apache Superset: Error verbosity exposes metadata in analytics databases
  from 0, < 4.1.0
• MEDIUM5.3CVE-2022-45438Apache Superset: Dashboard metadata information leak
  from 0, <= 1.5.2
• MEDIUM5.3CVE-2019-12413Users able to query database metadata in Apache Superset
  from 0, < 0.31.0
• MEDIUM5.3CVE-2019-12413Users able to query database metadata in Apache Superset
  from 0, < 0.31
• MEDIUM5.3CVE-2019-12414Users can view database names in Apache Superset
  from 0, < 0.32.0
• MEDIUM5.3CVE-2019-12414Users can view database names in Apache Superset
  from 0, < 0.32
• MEDIUM5.0CVE-2024-24779Apache Superset: Improper data authorization when creating a new dataset
  from 0, < 3.0.4
• MEDIUM5.0CVE-2023-27523Apache Superset: Improper data permission validation on Jinja templated queries
  from 0, <= 2.1.0
• MEDIUM4.9CVE-2024-24773Apache Superset: Improper validation of SQL statements allows for unauthorized access to data
  from 0, < 3.0.4
• MEDIUM4.3CVE-2024-39887Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
  from 0, < 4.0.2
• MEDIUM4.3CVE-2024-28148Apache Superset: Incorrect datasource authorization on explore REST API
  from 0, < 3.1.2
• MEDIUM4.3CVE-2024-26016Apache Superset: Improper authorization validation on dashboards and charts import
  from 0, < 3.0.4
• MEDIUM4.3CVE-2024-24772Apache Superset: Improper Neutralisation of custom SQL on embedded context
  from 0, < 3.0.4
• MEDIUM4.3CVE-2024-27315Apache Superset: Improper error handling on alerts
  from 0, < 3.0.4
• MEDIUM4.3CVE-2023-42505Apache Superset: Sensitive information disclosure on db connection details
  from 0, < 3.0.0
• MEDIUM4.3CVE-2023-42501Apache Superset: Unnecessary read permissions within the Gamma role
  from 0, < 2.1.2
• MEDIUM4.3CVE-2023-43701Apache Superset: Stored XSS on API endpoint
  from 0, < 2.1.2
• MEDIUM4.3CVE-2023-32672Apache Superset: SQL parser edge case bypasses data access authorization
  from 0, <= 2.1.0
• MEDIUM4.3CVE-2023-36388Apache Superset: Improper API permission for low privilege users allows for SSRF
  from 0, <= 2.1.0
• MEDIUM4.3CVE-2023-39264Apache Superset: Stack traces enabled by default
  from 0, <= 2.1.0
• MEDIUM4.3CVE-2023-27526Apache Superset: Improper Authorization check on import charts
  from 0, <= 2.1.0
• MEDIUM4.3CVE-2023-27525Apache Superset: Incorrect default permissions for Gamma role
  from 0, <= 2.0.1
• MEDIUM4.3CVE-2021-37839Improper access to dataset metadata information
  from 0, < 1.5.1
• —CVE-2026-23982Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass
  from 0, < 6.0.0
• —CVE-2026-23983Apache Superset: Sensitive Data Exposure via REST API (disabled by default)
  from 0, < 6.0.0
• —CVE-2026-23980Apache Superset: Improper Neutralization of Special Elements used in a SQL Command
  from 0, < 6.0.0
• —CVE-2026-23984Apache Superset: SQLLab Read-Only Bypass on PostgreSQL
  from 0, < 6.0.0
• —CVE-2026-23969Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering
  from 0, < 4.1.2
• —CVE-2025-55674Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
  from 0, < 5.0.0
• —CVE-2025-55675Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
  from 0, < 5.0.0
• —CVE-2025-55672Apache Superset: Stored XSS on charts metadata
  from 0, < 5.0.0
• —CVE-2025-55673Apache Superset data query improperly discloses database schema information to low-privileged guest user
  from 0, < 4.1.3.post1
• —CVE-2025-48912Apache Superset: Improper authorization bypass on row level security via SQL Injection
  from 0, < 4.1.2