Apache Superset

68 CVEs affecting Apache Superset. Latest disclosed: 2026-02-24. Critical: 4, High: 7.

Top CVEs affecting Apache Superset
CVESeverityScorePublishedSummary
CVE-2024-53947Critical9.82024-12-09Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific fu…
CVE-2022-27479Critical9.82022-04-13Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue.
CVE-2018-8021Critical9.82018-11-07Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Super…
CVE-2023-49657Critical9.62024-01-23A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or…
CVE-2023-27524High8.92023-04-24Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY accordi…
CVE-2025-27696High8.82025-05-13Incorrect Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with read permissio…
CVE-2022-43719High8.82023-01-16Two legacy REST API endpoints for approval and request access are vulnerable to cross site request forgery. This issue affects Apache Superset version 1.5.2 an…
CVE-2021-41971High8.82021-10-18Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authe…
CVE-2020-13948High8.82020-09-17While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in…
CVE-2020-13952High8.12020-09-30In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could acce…
CVE-2023-49734High7.72023-12-19An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts al…
CVE-2024-34693Medium6.82024-06-20Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If b…
CVE-2023-37941Medium6.62023-09-06If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote cod…
CVE-2026-23984Medium6.52026-02-24An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification…
CVE-2026-23983Medium6.52026-02-24A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabl…
CVE-2026-23982Medium6.52026-02-24An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Su…
CVE-2026-23980Medium6.52026-02-24Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read acc…
CVE-2026-23969Medium6.52026-02-24Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab a…
CVE-2025-55675Medium6.52025-08-14Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to disco…
CVE-2025-55674Medium6.52025-08-14A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special i…