A modern, enterprise-ready business intelligence web application
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means
All Versions
Vulnerabilities (Public)
Known vulnerabilities and security issues detected in the extension's dependencies and code.
| Vulnerability ID | Advisory | Affected Versions | |||
|---|---|---|---|---|---|
| CVE-2026-23984 | Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections | High | – | – | < 6.0.0 |
| CVE-2026-23982 | Apache Superset Improper Authorization allows low-privileged users to bypass access controls | High | – | – | < 6.0.0 |
| CVE-2025-48912 | An authenticated malicious actor using specially crafted requests could bypass row-level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries … | High | – | – | <4.1.2rc1 |
| CVE-2026-23980 | Apache Superset allows privileged users to conduct error-based SQL Injection | Medium | – | – | < 6.0.0 |
| CVE-2026-23969 | Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine | Medium | – | – | < 4.1.2 |
| CVE-2025-55673 | Affected versions of the Apache Superset package are vulnerable to Information Disclosure due to improper access control on query metadata. The `/chart/data` endpoint returns a query field in its API … | Medium | – | – | <4.1.3.post1 |
| CVE-2025-55674 | Affected versions of the Apache Superset package are vulnerable to Improper Input Validation due to insufficient filtering of SQL function calls. The DISALLOWED_SQL_FUNCTIONS security feature can be b… | Medium | – | – | <5.0.0 |
| CVE-2025-55672 | Affected versions of the apache‑superset package are vulnerable to Cross‑site Scripting (XSS) due to improper sanitization of chart label inputs. The chart visualization module allows an authenticated… | Medium | – | – | <5.0.0 |
| CVE-2025-55675 | Affected versions of the Apache Superset package are vulnerable to Improper Authorization due to insufficient access control in endpoints that allow ownership transfer. The API endpoints for dashboard… | Medium | – | – | <5.0.0 |
| CVE-2026-23983 | Apache Superset allows authenticated users to view sensitive data without explicit permissions | Low | – | – | < 6.0.0 |
Page 1
Safety Discovered Vulnerabilities
Additional security issues found by Safety, exclusive to our platform.