PyPI: apache-superset

CVE-2026-23980

Safety vulnerability ID: SFTY-20260224-74290

Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.

PythonPyPINVDNVDGitHubGHSA
Created at: Feb 26, 2026Updated at: Feb 26, 2026

Overview

Apache Superset allows privileged users to conduct error-based SQL Injection

Advisory

Apache Superset allows privileged users to conduct error-based SQL Injection

Affected Package

Affecting apache-superset package, versions
< 6.0.0

Also affects

---

How to Fix

Upgrade
apache-superset
to
6.0.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more