oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-23980: Apache Superset: Improper Neutralization of Special Elements used in a SQL Command

From: Daniel Gaspar <dpgaspar () apache org>
Date: Tue, 24 Feb 2026 09:26:05 +0000
Severity: 

Affected versions:

- Apache Superset 0.0.0 before 6.0.0

Description:

Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset 
allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where 
parameters.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.

Credit:

Pritam Chakkerwar (finder)
Dhanush Nayak (reporter)
Pedro Sousa (remediation developer)

References:

https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-23980
Previous By Date Next
Previous By Thread Next

Current thread: