Apache · Apache Superset · CVE-2021-41971
**Name of the Vulnerable Software and Affected Versions**
Apache Superset versions up to and including 1.3.0
**Description**
The issue allows SQL injection when a malicious authenticated user sends an HTTP request with a custom URL, but only when Apache Superset is configured with ENABLE TEMPLATE PROCESSING enabled, which is disabled by default.
**Recommendations**
For Apache Superset versions up to and including 1.3.0, consider disabling the ENABLE TEMPLATE PROCESSING configuration to prevent SQL injection attacks until a patch is available.