Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1a6e382c-b121-bf9f-61b9-a8cb7df22104@apache.org>
Date: Thu, 14 Aug 2025 11:36:39 +0000
From: Daniel Gaspar <dpgaspar@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-55672: Apache Superset: Store XSS on charts metadata 

Severity: 

Affected versions:

- Apache Superset before 5.0.0

Description:

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Credit:

Pedro Sousa (coordinator)
Jobar (finder)
Mehmet Yavuz (remediation developer)

References:

https://www.cve.org/CVERecord?id=CVE-2025-55672

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.