CVE-2025-55672 – apache-superset

Package

Manager: pip
Name: apache-superset
Vulnerable Version: >=0 <5.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.0003 pctl0.06786

Details

Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Metadata

Created: 2025-08-14T15:30:44Z
Modified: 2025-08-14T17:31:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-fj97-2v9x-w5m4/GHSA-fj97-2v9x-w5m4.json
CWE IDs: ["CWE-80"]
Alternative ID: GHSA-fj97-2v9x-w5m4
Finding: F063
Auto approve: 1