Apache · Apache Superset · CVE-2026-23980
**Name of the Vulnerable Software and Affected Versions**
Apache Superset versions prior to 6.0.0
**Description**
An issue exists in Apache Superset that allows an authenticated user with read access to conduct error-based SQL injection. This is due to improper neutralization of special elements used in a SQL command. The issue can be triggered via the `sqlExpression` or `where` parameters.
**Recommendations**
Upgrade to version 6.0.0 to resolve the issue.