PT-2026-21679 · Apache · Apache Superset
Dhanush Nayak
+2
·
Published
2026-02-24
·
Updated
2026-02-28
·
CVE-2026-23980
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Superset versions prior to 6.0.0
Description
An issue exists in Apache Superset that allows an authenticated user with read access to conduct error-based SQL injection. This is due to improper neutralization of special elements used in a SQL command. The issue can be triggered via the
sqlExpression or where parameters.Recommendations
Upgrade to version 6.0.0 to resolve the issue.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Superset