Severity:
Affected versions:
- Apache Superset 0.0.0 before 6.0.0
Description:
Improper Neutralization of Special Elements used in a SQL Command ('SQL
Injection') vulnerability in Apache Superset allows an authenticated user with
read access to conduct error-based SQL injection via the sqlExpression or where
parameters.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Credit:
Pritam Chakkerwar (finder)
Dhanush Nayak (reporter)
Pedro Sousa (remediation developer)
References:
https://superset.apache.org
https://www.cve.org/CVERecord?id=CVE-2026-23980
