Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine

Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...

SQL Injection

Overview apache-superset is a modern, enterprise-ready business intelligence web application. Affected versions of this package are vulnerable to SQL Injection via incomplete filtering of SQL functions for the ClickHouse engine in the DISALLOWEDSQLFUNCTIONS configuration. An attacker can access...

CVE-2026-23969 Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering

Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...

EUVD-2026-8479

Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...

PT-2023-22780 · Archery · Archery

Name of the Vulnerable Software and Affected Versions: Archery affected versions not specified Description: The Archery project contains multiple SQL injection vulnerabilities that may allow an attacker to query the connected databases. User input coming from the db name parameter value and the...