VIR Vulnerability Intelligence Relay

Package impact

python PyPI / apache-superset

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2023-27524 unknown 1.5 3y ago Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altere… python
CVE-2026-23984 unknown 3mo ago Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections python
CVE-2026-23983 unknown 3mo ago Apache Superset allows authenticated users to view sensitive data without explicit permissions python
CVE-2026-23982 unknown 3mo ago Apache Superset Improper Authorization allows low-privileged users to bypass access controls python
CVE-2026-23980 unknown 3mo ago Apache Superset allows privileged users to conduct error-based SQL Injection python
CVE-2026-23969 unknown 3mo ago Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine python
CVE-2025-55675 unknown 10mo ago Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access python
CVE-2025-55674 unknown 10mo ago Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions python
CVE-2025-55673 unknown 10mo ago Apache Superset data query improperly discloses database schema information to low-privileged guest user python
CVE-2025-55672 unknown 10mo ago Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability python
CVE-2025-48912 unknown 1y ago Apache Superset: Improper authorization bypass on row level security via SQL Injection python
CVE-2025-27696 unknown 1y ago Apache Superset Allows Ownership Takeover python
CVE-2024-55633 unknown 2y ago Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access python
CVE-2024-53949 unknown 2y ago Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled python
CVE-2024-53948 unknown 2y ago Apache Superset: Error verbosity exposes metadata in analytics databases python
CVE-2024-53947 unknown 2y ago Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions python
CVE-2024-39887 unknown 2y ago Apache Superset vulnerable to improper SQL authorization python
CVE-2024-34693 unknown 2y ago Apache Superset server arbitrary file read python
CVE-2024-28148 unknown 2y ago Apache Superset Incorrect Authorization vulnerability python
CVE-2024-26016 unknown 2y ago Apache Superset: Improper authorization validation on dashboards and charts import python
CVE-2024-24779 unknown 2y ago Apache Superset: Improper data authorization when creating a new dataset python
CVE-2024-24773 unknown 2y ago Apache Superset: Improper validation of SQL statements allows for unauthorized access to data python
CVE-2024-24772 unknown 2y ago Apache Superset: Improper Neutralization of custom SQL on embedded context python
CVE-2024-27315 unknown 2y ago Apache Superset: Improper error handling on alerts python
CVE-2023-49657 unknown 2y ago Cross-site Scripting in Apache superset python
CVE-2023-49736 unknown 3y ago Apache Superset SQL injection vulnerability python
CVE-2023-49734 unknown 3y ago Apache Superset incorrect write permissions vulnerability python
CVE-2023-46104 unknown 3y ago Apache Superset uncontrolled resource consumption python
CVE-2023-40610 unknown 3y ago Apache Superset - Elevation of Privilege python
CVE-2023-42505 unknown 3y ago Apache Superset Exposure of Sensitive Information to an Unauthorized Actor vulnerability python
CVE-2023-42502 unknown 3y ago Apache Superset Open Redirect vulnerability python
CVE-2023-42504 unknown 3y ago Apache Superset Allocation of Resources Without Limits or Throttling vulnerability python
CVE-2023-43701 unknown 3y ago Apache Superset Cross-site Scripting vulnerability python
CVE-2023-42501 unknown 3y ago Apache Superset has Incorrect Default Permissions python
CVE-2023-39265 unknown 3y ago Apache Superset Improper Input Validation vulnerability python
CVE-2023-37941 unknown 3y ago Apache Superset Deserialization of Untrusted Data vulnerability python
CVE-2023-32672 unknown 3y ago Apache Superset has incorrect authorization check python
CVE-2023-39264 unknown 3y ago Apache Superset may expose internal traces on REST API endpoints python
CVE-2023-36387 unknown 3y ago Apache Superset has improper default REST API permission for Gamma users python
CVE-2023-27526 unknown 3y ago Apache Superset users may incorrectly create resources using the import charts feature python
CVE-2023-27523 unknown 3y ago Apache Superset vulnerable to improper data authorization python
CVE-2023-36388 unknown 3y ago Apache Superset Server Side Request Forgery vulnerability python
CVE-2023-30776 unknown 3y ago Apache Superset vulnerable to Exposure of Sensitive Information python
CVE-2023-25504 unknown 3y ago Apache Superset Server-Side Request Forgery vulnerability python
CVE-2023-27525 unknown 3y ago Apache Superset vulnerable to Improper Authorization python
CVE-2022-43717 unknown 3y ago Apache Superset vulnerable to Cross-site Scripting python
CVE-2022-41703 unknown 3y ago Apache Superset's SQL Alchemy connector vulnerable to SQL Injection python
CVE-2022-43719 unknown 3y ago Apache Superset vulnerable to Cross-Site Request Forgery via legacy REST API endpoints python
CVE-2022-43718 unknown 3y ago Apache Superset is vulnerable to Cross-Site Scripting (XSS) python
CVE-2022-43721 unknown 3y ago Apache Superset Open Redirect vulnerability python
CVE-2022-45438 unknown 3y ago Apache Superset has Improper Access Control python
CVE-2022-43720 unknown 3y ago Apache Superset vulnerable to Injection python
CVE-2021-37839 unknown 4y ago Apache Superset allows authenticated users to access metadata they have no permission to python
CVE-2021-27907 unknown 4y ago Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user co… python
CVE-2020-13948 unknown 4y ago While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary … python
CVE-2021-42250 unknown 4y ago Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. python
CVE-2021-41972 unknown 4y ago Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way. python
CVE-2021-32609 unknown 4y ago Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (inc… python
CVE-2021-41971 unknown 4y ago Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with… python
CVE-2022-27479 unknown 4y ago Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue. python
CVE-2021-44451 unknown 4y ago Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgr… python
CVE-2021-28125 unknown 5y ago Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allo… python
CVE-2020-13952 unknown 5y ago In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated… python
CVE-2019-12413 unknown 6y ago In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query. python
CVE-2019-12414 unknown 6y ago In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab python
CVE-2020-1932 unknown 6y ago An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed pa… python