19 matches found
BIT-SUPERSET-2026-23969 Apache Superset: Exposure of Sensitive Information via Incomplete ClickHouse Function Filtering
Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...
CVE-2026-23969
Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...
Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine
Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...
SQL Injection
Overview apache-superset is a modern, enterprise-ready business intelligence web application. Affected versions of this package are vulnerable to SQL Injection via incomplete filtering of SQL functions for the ClickHouse engine in the DISALLOWEDSQLFUNCTIONS configuration. An attacker can access...
CVE-2026-23969
Apache Superset utilizes a configurable dictionary, DISALLOWEDSQLFUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the...
CVE-2026-23969
Apache Superset prior to 4.1.2 is affected by CVE-2026-23969 due to an incomplete default DISALLOWED_SQL_FUNCTIONS list for the ClickHouse engine, which can lead to exposure of sensitive information in SQL Lab and charts. The vulnerability’s impact is described with a CVSS 4.0 base score of 5.3 (...
EUVD-2025-24820
Malicious code in bioql PyPI...
SQL Injection
apachesuperset is vulnerable to SQL Injection. The vulnerability is due to improper enforcement of the DISALLOWEDSQLFUNCTIONS security feature, which allows an attacker with SQL Lab access to circumvent the denylist using a special inline block and execute restricted SQL functions...
Apache Superset SQL Injection Vulnerability (CNVD-2025-19100)
Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. Apache Superset suffers from a SQL injection vulnerability that stems from a bypass of the DISALLOWEDSQLFUNCTIONS security feature, which can be exploited by an attacker to gain access to sensiti...
BIT-SUPERSET-2025-55674 Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leadi...
CVE-2025-55674
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leadi...
GHSA-FXGF-3XH6-M2PP Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leadi...
CVE-2025-55674
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leadi...
CVE-2025-55674
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leadi...
CVE-2025-55674 Apache Superset: Improper SQL authorisation, parse not checking for specific engine functions
A bypass of the DISALLOWEDSQLFUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leadi...
CVE-2025-55674
CVE-2025-55674 affects Apache Superset up to version 5.0.0. The issue is a bypass of the DISALLOWED_SQL_FUNCTIONS denylist, allowing a user with SQL Lab access to execute blocked SQL functions and disclose sensitive information (e.g., software version). The publicly stated remediation is to upgra...
SQL Injection
Overview apache-superset is a modern, enterprise-ready business intelligence web application. Affected versions of this package are vulnerable to SQL Injection due to improper handling of certain PostgreSQL functions in the SQL parsing and authorization process. An attacker can execute unauthoriz...
CVE-2024-53947
CVE-2024-53947 : Apache Superset is affected by an SQL Injection vulnerability due to improper neutralization of certain engine-specific functions, allowing bypass of SQL authorization. The issue affects versions
DEBIAN-CVE-2014-0061
The validator functions for the procedural languages PLs in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is 1 defined in another language or 2 not allowed to b...