EUVD-2026-8479

Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...

CVE-2026-23969 Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering

Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...

PT-2026-21678

Name of the Vulnerable Software and Affected Versions Apache Superset versions prior to 4.1.2 Description Apache Superset uses a configurable dictionary, DISALLOWED SQL FUNCTIONS, to limit the execution of potentially sensitive SQL functions in SQL Lab and charts. A flaw exists because the defaul...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: clickhouse (UTSA-2026-005307)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005307 advisory. An issue was discovered in ClickHouse before 22.9.1.2603. An authenticated user with the ability to load data could cause a heap buffer overflow and crash the server...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: clickhouse (UTSA-2026-005321)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005321 advisory. An issue was discovered in ClickHouse before 22.9.1.2603. An attacker could send a crafted HTTP request to the HTTP Endpoint usually listening on port 8123 by defaul...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +28 more potentially affected by CVE-2026-24098 via apache-airflow-core (>=3.0.0 <=3.1.7)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =0.0.4, =2.0.2, =2.3.0rc1 and more Source cves: CVE-2026-24098 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-15267373...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: clickhouse (UTSA-2026-005267)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005267 advisory. An issue was discovered in ClickHouse before 22.9.1.2603. An authenticated user with the ability to load data could cause a heap buffer overflow and crash the server...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: clickhouse (UTSA-2026-005268)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005268 advisory. An issue was discovered in ClickHouse before 22.9.1.2603. An attacker could send a crafted HTTP request to the HTTP Endpoint usually listening on port 8123 by defaul...

CLEANSTART-2026-DN29911 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing

Security vulnerability affects the clickhouse-operator package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing...

CLEANSTART-2026-ZR62045 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing

Multiple security vulnerabilities affect the clickhouse-operator package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. See references for individual vulnerability details...

CLEANSTART-2025-ZR62045 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing

Multiple security vulnerabilities affect the clickhouse-operator package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. See references for individual vulnerability details...

CLEANSTART-2026-JM16286 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing

Multiple security vulnerabilities affect the clickhouse-operator package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. See references for individual vulnerability details...

CVE-2018-14669

ClickHouse MySQL client before versions 1.1.54390 had "LOAD DATA LOCAL INFILE" functionality enabled that allowed a malicious MySQL database read arbitrary files from the connected ClickHouse server...

CVE-2024-41436

ClickHouse v24.3.3.102 was discovered to contain a buffer overflow via the component DB::evaluateConstantExpressionImpl...

CVE-2019-16536

Stack overflow leading to DoS can be triggered by a malicious authenticated client in Clickhouse before 19.14.3.3...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plugin (=1.5.0) +20 more potentially affected by CVE-2025-66388 via apache-airflow-task-sdk (>=1.0.0rc4 <=1.1.4)

apache-airflow-task-sdk PYPI version =1.0.0rc4, =0.7.0, =0.6.1, =1.10.7, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0rc3, =3.0.0rc3, =1.6.0, =1.5.3, =1.25.0rc1, =3.12.0, =0.0.4, =0.0.6.dev1 and more Source cves: CVE-2025-66388 Source advisory: SNYK:PYTHON-APACHEAIRFLOWTASKSDK-14459396...

Directory Traversal

Overview gapless-crypto-clickhouse is a ClickHouse-based cryptocurrency data collection with zero-gap guarantee. 22x faster via Binance public repository with persistent database storage, USDT-margined futures support, and production-ready ReplacingMergeTree schema. Affected versions of this...

EUVD-2025-199098

Malicious code in @posthog/clickhouse npm...

Malicious code in @posthog/clickhouse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab67710c7cf24d338618be2ab087d4c3b27117879492e29334b31cd0328e171a The package @posthog/clickhouse was found to contain malicious code. Source: ghsa-malware...

MAL-2025-190945 Malicious code in @posthog/clickhouse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab67710c7cf24d338618be2ab087d4c3b27117879492e29334b31cd0328e171a The package @posthog/clickhouse was found to contain malicious code. Source: ghsa-malware...