| CVE-2023-27524 |
unknown |
— |
2.5 |
|
|
|
3y ago |
Apache Superset contains an insecure default initialization of a resource vulnerability that allows an attacker to authenticate and access unauthorized resources on installations that have not altere… |
| CVE-2023-37941 |
unknown |
— |
1.0 |
|
|
|
3y ago |
Apache Superset Deserialization of Untrusted Data vulnerability |
| CVE-2023-39265 |
unknown |
— |
1.0 |
|
|
|
3y ago |
Apache Superset Improper Input Validation vulnerability |
| CVE-2026-23982 |
unknown |
— |
— |
|
|
|
3mo ago |
Apache Superset Improper Authorization allows low-privileged users to bypass access controls |
| CVE-2026-23980 |
unknown |
— |
— |
|
|
|
3mo ago |
Apache Superset allows privileged users to conduct error-based SQL Injection |
| CVE-2026-23969 |
unknown |
— |
— |
|
|
|
3mo ago |
Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine |
| CVE-2026-23984 |
unknown |
— |
— |
|
|
|
3mo ago |
Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections |
| CVE-2026-23983 |
unknown |
— |
— |
|
|
|
3mo ago |
Apache Superset allows authenticated users to view sensitive data without explicit permissions |
| CVE-2025-55673 |
unknown |
— |
— |
|
|
|
10mo ago |
Apache Superset data query improperly discloses database schema information to low-privileged guest user |
| CVE-2025-55672 |
unknown |
— |
— |
|
|
|
10mo ago |
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability |
| CVE-2025-55675 |
unknown |
— |
— |
|
|
|
10mo ago |
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access |
| CVE-2025-55674 |
unknown |
— |
— |
|
|
|
10mo ago |
Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions |
| CVE-2025-48912 |
unknown |
— |
— |
|
|
|
1y ago |
Apache Superset: Improper authorization bypass on row level security via SQL Injection |
| CVE-2025-27696 |
unknown |
— |
— |
|
|
|
1y ago |
Apache Superset Allows Ownership Takeover |
| CVE-2024-55633 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access |
| CVE-2024-53947 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions |
| CVE-2024-53948 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Error verbosity exposes metadata in analytics databases |
| CVE-2024-53949 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled |
| CVE-2024-39887 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset vulnerable to improper SQL authorization |
| CVE-2024-34693 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset server arbitrary file read |
| CVE-2024-28148 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset Incorrect Authorization vulnerability |
| CVE-2024-26016 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Improper authorization validation on dashboards and charts import |
| CVE-2024-24779 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Improper data authorization when creating a new dataset |
| CVE-2024-24773 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Improper validation of SQL statements allows for unauthorized access to data |
| CVE-2024-24772 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Improper Neutralization of custom SQL on embedded context |
| CVE-2024-27315 |
unknown |
— |
— |
|
|
|
2y ago |
Apache Superset: Improper error handling on alerts |
| CVE-2023-49657 |
unknown |
— |
— |
|
|
|
2y ago |
Cross-site Scripting in Apache superset |
| CVE-2023-49734 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset incorrect write permissions vulnerability |
| CVE-2023-49736 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset SQL injection vulnerability |
| CVE-2023-46104 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset uncontrolled resource consumption |
| CVE-2023-40610 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset - Elevation of Privilege |
| CVE-2023-42505 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset Exposure of Sensitive Information to an Unauthorized Actor vulnerability |
| CVE-2023-42502 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset Open Redirect vulnerability |
| CVE-2023-42504 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset Allocation of Resources Without Limits or Throttling vulnerability |
| CVE-2023-43701 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset Cross-site Scripting vulnerability |
| CVE-2023-42501 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset has Incorrect Default Permissions |
| CVE-2023-32672 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset has incorrect authorization check |
| CVE-2023-39264 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset may expose internal traces on REST API endpoints |
| CVE-2023-36387 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset has improper default REST API permission for Gamma users |
| CVE-2023-27526 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset users may incorrectly create resources using the import charts feature |
| CVE-2023-27523 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset vulnerable to improper data authorization |
| CVE-2023-36388 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset Server Side Request Forgery vulnerability |
| CVE-2023-30776 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset vulnerable to Exposure of Sensitive Information |
| CVE-2023-25504 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset Server-Side Request Forgery vulnerability |
| CVE-2023-27525 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset vulnerable to Improper Authorization |
| CVE-2022-43718 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset is vulnerable to Cross-Site Scripting (XSS) |
| CVE-2022-43717 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset vulnerable to Cross-site Scripting |
| CVE-2022-41703 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset's SQL Alchemy connector vulnerable to SQL Injection |
| CVE-2022-43719 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset vulnerable to Cross-Site Request Forgery via legacy REST API endpoints |
| CVE-2022-43720 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset vulnerable to Injection |
| CVE-2022-45438 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset has Improper Access Control |
| CVE-2022-43721 |
unknown |
— |
— |
|
|
|
3y ago |
Apache Superset Open Redirect vulnerability |
| CVE-2021-37839 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Superset allows authenticated users to access metadata they have no permission to |
| CVE-2021-27907 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user co… |
| CVE-2020-13948 |
unknown |
— |
— |
|
|
|
4y ago |
While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary … |
| CVE-2021-42250 |
unknown |
— |
— |
|
|
|
4y ago |
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs. |
| CVE-2021-41972 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way. |
| CVE-2021-32609 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Superset up to and including 1.1 does not sanitize titles correctly on the Explore page. This allows an attacker with Explore access to save a chart with a malicious title, injecting html (inc… |
| CVE-2021-41971 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Superset up to and including 1.3.0 when configured with ENABLE_TEMPLATE_PROCESSING on (disabled by default) allowed SQL injection when a malicious authenticated user sends an http request with… |
| CVE-2022-27479 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Superset before 1.4.2 is vulnerable to SQL injection in chart data requests. Users should update to 1.4.2 or higher which addresses this issue. |
| CVE-2021-44451 |
unknown |
— |
— |
|
|
|
4y ago |
Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgr… |
| CVE-2021-28125 |
unknown |
— |
— |
|
|
|
5y ago |
Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allo… |
| CVE-2020-13952 |
unknown |
— |
— |
|
|
|
5y ago |
In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated… |
| CVE-2019-12413 |
unknown |
— |
— |
|
|
|
6y ago |
In Apache Incubator Superset before 0.31 user could query database metadata information from a database he has no access to, by using a specially crafted complex query. |
| CVE-2019-12414 |
unknown |
— |
— |
|
|
|
6y ago |
In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab |
| CVE-2020-1932 |
unknown |
— |
— |
|
|
|
6y ago |
An information disclosure issue was found in Apache Superset 0.34.0, 0.34.1, 0.35.0, and 0.35.1. Authenticated Apache Superset users are able to retrieve other users' information, including hashed pa… |
