pkg:Bitnami/superset

65 total CVEsCRITICAL3HIGH8MEDIUM44

✅ Check your installed version

All known vulnerabilities

  • HIGH8.9CVE-2023-27524⚠ KEVApache superset missing check for default SECRET_KEY
    from 0, < 2.0.2
  • CRITICAL9.8CVE-2024-53947Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
    from 0, < 4.1.1
  • CRITICAL9.8CVE-2022-27479SQL injection vulnerability in chart data API
    from 0, < 1.4.2
  • CRITICAL9.6CVE-2023-49657Apache Superset: Stored XSS in Dashboard Title and Chart Title
    from 0, < 3.0.3
  • HIGH8.8CVE-2025-27696Apache Superset: Incorrect authorization leading to resource ownership takeover
    from 0, < 4.1.2
  • HIGH8.8CVE-2022-43719Apache Superset: Cross Site Request Forgery (CSRF) on accept, request access API
    from 0, < 1.5.3, >= 2.0.0, < 2.0.1
  • HIGH8.8CVE-2020-13948Apache Superset OS Command Injection
    from 0, < 0.37.1
  • HIGH8.8CVE-2021-41971Possible SQL Injection when template processing is enabled
    from 0, < 1.3.1
  • HIGH8.1CVE-2020-13952Plaintext password leak in Apache Superset
    from 0, < 0.37.2
  • HIGH7.7CVE-2023-49734Apache Superset: Privilege Escalation Vulnerability
    from 0, < 2.1.2, >= 3.0.0, < 3.0.2
  • HIGH7.3CVE-2023-40610Apache Superset - Elevation of Privilege
    from 0, < 2.1.2
  • MEDIUM6.8CVE-2024-34693Apache Superset: Server arbitrary file read
    from 0, < 4.1.1
  • MEDIUM6.6CVE-2023-37941Apache Superset: Metadata db write access can lead to remote code execution
    >= 1.5.0, < 2.1.1
  • MEDIUM6.5CVE-2024-23952Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb (version range fix for CVE-2023-46104)
    from 0, < 4.1.1
  • MEDIUM6.5CVE-2024-55633Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access
    from 0, < 4.1.1
  • MEDIUM6.5CVE-2024-53949Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled
    >= 2.0.0, < 4.1.1
  • MEDIUM6.5CVE-2023-49736Apache Superset: SQL Injection on where_in JINJA macro
    from 0, < 2.1.2, >= 3.0.0, < 3.0.2
  • MEDIUM6.5CVE-2023-46104Apache Superset: Allows for uncontrolled resource consumption via a ZIP bomb
    from 0, < 2.1.3, >= 3.0.0, < 3.0.1
  • MEDIUM6.5CVE-2023-42504Apache Superset: Lack of rate limiting allows for possible denial of service
    from 0, < 3.0.0
  • MEDIUM6.5CVE-2023-39265Apache Superset: Possible Unauthorized Registration of SQLite Database Connections
    from 0, < 2.1.1
  • MEDIUM6.5CVE-2023-30776Apache Superset: Database connection password leak
    >= 1.3.0, < 2.0.2
  • MEDIUM6.5CVE-2023-25504Apache Superset: Possible SSRF on import datasets
    from 0, < 2.0.2
  • MEDIUM6.5CVE-2021-42250Possible log injection
    from 0, < 1.3.2
  • MEDIUM6.5CVE-2021-41972Credentials leak
    from 0, < 1.3.2
  • MEDIUM6.5CVE-2021-44451API sensitive information leak
    from 0, < 1.3.3
  • MEDIUM6.5CVE-2020-1932Information disclosure in Apache Superset
    >= 0.34.0, < 0.34.1, >= 0.34.1, < 0.34.2, >= 0.35.0, < 0.35.1, >= 0.35.1, < 0.35.2
  • MEDIUM6.1CVE-2021-28125Apache Superset Open Redirect
    from 0, < 1.0.2
  • MEDIUM5.4CVE-2023-42502Apache Superset: Open Redirect Vulnerability
    from 0, < 3.0.0
  • MEDIUM5.4CVE-2023-36387Apache Superset: Improper API permission for low privilege users
    from 0, < 2.1.1
  • MEDIUM5.4CVE-2022-43718Apache Superset: Cross-Site Scripting vulnerability on upload forms
    from 0, < 1.5.3, >= 2.0.0, < 2.0.1
  • MEDIUM5.4CVE-2022-43717Apache Superset: Cross-Site Scripting on dashboards
    from 0, < 1.5.3, >= 2.0.0, < 2.0.1
  • MEDIUM5.4CVE-2022-41703Apache Superset: SQL injection vulnerability in adhoc clauses
    from 0, < 1.5.3, >= 2.0.0, < 2.0.1
  • MEDIUM5.4CVE-2022-43721Apache Superset: Open Redirect Vulnerability
    from 0, < 1.5.3, >= 2.0.0, < 2.0.1
  • MEDIUM5.4CVE-2022-43720Apache Superset: Improper rendering of user input
    from 0, < 1.5.3, >= 2.0.0, < 2.0.1
  • MEDIUM5.4CVE-2021-27907Apache Superset stored XSS on Dashboard markdown
    from 0, < 0.38.1
  • MEDIUM5.4CVE-2021-32609XSS vulnerability on Explore page
    from 0, < 1.1.1
  • MEDIUM5.3CVE-2024-53948Apache Superset: Error verbosity exposes metadata in analytics databases
    from 0, < 4.1.1
  • MEDIUM5.3CVE-2022-45438Apache Superset: Dashboard metadata information leak
    from 0, < 1.5.3, >= 2.0.0, < 2.0.1
  • MEDIUM5.0CVE-2024-24779Apache Superset: Improper data authorization when creating a new dataset
    from 0, < 4.1.1
  • MEDIUM5.0CVE-2023-27523Apache Superset: Improper data permission validation on Jinja templated queries
    from 0, < 2.1.1
  • MEDIUM4.9CVE-2024-24773Apache Superset: Improper validation of SQL statements allows for unauthorized access to data
    from 0, < 4.1.1
  • MEDIUM4.3CVE-2024-39887Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
    from 0, < 4.1.1
  • MEDIUM4.3CVE-2024-28148Apache Superset: Incorrect datasource authorization on explore REST API
    from 0, < 4.1.1
  • MEDIUM4.3CVE-2024-26016Apache Superset: Improper authorization validation on dashboards and charts import
    from 0, < 4.1.1
  • MEDIUM4.3CVE-2024-24772Apache Superset: Improper Neutralisation of custom SQL on embedded context
    from 0, < 4.1.1
  • MEDIUM4.3CVE-2024-27315Apache Superset: Improper error handling on alerts
    from 0, < 4.1.1
  • MEDIUM4.3CVE-2023-42505Apache Superset: Sensitive information disclosure on db connection details
    from 0, < 3.0.0
  • MEDIUM4.3CVE-2023-43701Apache Superset: Stored XSS on API endpoint
    from 0, < 2.1.2
  • MEDIUM4.3CVE-2023-42501Apache Superset: Unnecessary read permissions within the Gamma role
    from 0, < 2.1.1
  • MEDIUM4.3CVE-2023-32672Apache Superset: SQL parser edge case bypasses data access authorization
    from 0, < 2.1.1
  • MEDIUM4.3CVE-2023-36388Apache Superset: Improper API permission for low privilege users allows for SSRF
    from 0, < 2.1.1
  • MEDIUM4.3CVE-2023-27526Apache Superset: Improper Authorization check on import charts
    from 0, < 2.1.1
  • MEDIUM4.3CVE-2023-39264Apache Superset: Stack traces enabled by default
    from 0, < 2.1.1
  • MEDIUM4.3CVE-2023-27525Apache Superset: Incorrect default permissions for Gamma role
    from 0, < 2.0.2
  • MEDIUM4.3CVE-2021-37839Improper access to dataset metadata information
    from 0, < 1.5.2
  • CVE-2026-23983Apache Superset: Sensitive Data Exposure via REST API (disabled by default)
    from 0, < 6.0.0
  • CVE-2026-23982Apache Superset: Improper Authorization in Dataset Creation Allows Access Control Bypass
    from 0, < 6.0.0
  • CVE-2026-23969Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering
    from 0, < 4.1.2
  • CVE-2026-23980Apache Superset: Improper Neutralization of Special Elements used in a SQL Command
    from 0, < 6.0.0
  • CVE-2026-23984Apache Superset: SQLLab Read-Only Bypass on PostgreSQL
    from 0, < 6.0.0
  • CVE-2025-55673Apache Superset data query improperly discloses database schema information to low-privileged guest user
    from 0, < 4.1.3
  • CVE-2025-55675Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
    from 0, < 5.0.0
  • CVE-2025-55672Apache Superset: Stored XSS on charts metadata
    from 0, < 5.0.0
  • CVE-2025-55674Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
    from 0, < 5.0.0
  • CVE-2025-48912Apache Superset: Improper authorization bypass on row level security via SQL Injection
    from 0, < 4.1.2