Home

Description

Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.

PUBLISHED Reserved 2026-01-19 | Published 2026-02-24 | Updated 2026-02-24 | Assigner apache




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

0.0.0 (semver) before 6.0.0
affected

Credits

Pritam Chakkerwar finder

Dhanush Nayak reporter

Pedro Sousa remediation developer

References

www.openwall.com/lists/oss-security/2026/02/24/5

lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4 vendor-advisory

cve.org (CVE-2026-23980)

nvd.nist.gov (CVE-2026-23980)

Download JSON