CVE-2025-55672

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-55672

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55672.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-55672

Aliases

Published

2025-08-14T14:15:34.347Z

Modified

2026-04-10T05:30:02.530876Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

References

Affected packages

Git / github.com/apache/superset

Affected ranges

Type

GIT

Repo

https://github.com/apache/superset

Events

Introduced

Fixed

465e2a9631994892cf399d13dd926c56cecd58ca

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.0.0"
        }
    ]
}

Affected versions

0.*

0.10.0

0.11.0

0.12.0

0.13.1

0.13.2

0.14.1

0.15.0

0.15.1

0.15.3

0.15.4

0.15.4.1

0.16.0

0.16.1

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.17.6

0.18.2

0.18.3

0.18.4

0.18.5

0.19.1

0.2.1

0.20.1

0.25-fork

0.29.0rc1

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

0.6.0

0.6.1

0.7.0

0.8.0

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.9.0

0.9.1

2020.*

2020.51.1

5.*

5.0.0rc1

5.0.0rc3

airbnb_prod.*

airbnb_prod.0.10.0.2

airbnb_prod.0.11.0.1

airbnb_prod.0.11.0.2

airbnb_prod.0.11.0.3

airbnb_prod.0.11.0.4

airbnb_prod.0.11.0.5

airbnb_prod.0.11.0.6

airbnb_prod.0.12.0.1

airbnb_prod.0.12.1.0

airbnb_prod.0.13.0.0

airbnb_prod.0.13.0.1

airbnb_prod.0.13.0.2

airbnb_prod.0.13.0.3

airbnb_prod.0.15.0.1

airbnb_prod.0.15.4.1

airbnb_prod.0.15.4.2

airbnb_prod.0.15.5.0

Other

dummy

test_tag

superset-helm-chart-0.*

superset-helm-chart-0.1.0

superset-helm-chart-0.1.1

superset-helm-chart-0.1.2

superset-helm-chart-0.1.3

superset-helm-chart-0.1.4

superset-helm-chart-0.1.5

superset-helm-chart-0.1.6

superset-helm-chart-0.10.0

superset-helm-chart-0.10.1

superset-helm-chart-0.10.10

superset-helm-chart-0.10.11

superset-helm-chart-0.10.12

superset-helm-chart-0.10.13

superset-helm-chart-0.10.14

superset-helm-chart-0.10.15

superset-helm-chart-0.10.2

superset-helm-chart-0.10.3

superset-helm-chart-0.10.4

superset-helm-chart-0.10.5

superset-helm-chart-0.10.6

superset-helm-chart-0.10.7

superset-helm-chart-0.10.8

superset-helm-chart-0.10.9

superset-helm-chart-0.11.0

superset-helm-chart-0.11.1

superset-helm-chart-0.11.2

superset-helm-chart-0.12.0

superset-helm-chart-0.12.1

superset-helm-chart-0.12.10

superset-helm-chart-0.12.11

superset-helm-chart-0.12.2

superset-helm-chart-0.12.3

superset-helm-chart-0.12.4

superset-helm-chart-0.12.5

superset-helm-chart-0.12.6

superset-helm-chart-0.12.7

superset-helm-chart-0.12.8

superset-helm-chart-0.12.9

superset-helm-chart-0.13.1

superset-helm-chart-0.13.2

superset-helm-chart-0.13.3

superset-helm-chart-0.13.5

superset-helm-chart-0.13.6

superset-helm-chart-0.14.0

superset-helm-chart-0.2.0

superset-helm-chart-0.2.1

superset-helm-chart-0.3.0

superset-helm-chart-0.3.1

superset-helm-chart-0.3.10

superset-helm-chart-0.3.11

superset-helm-chart-0.3.12

superset-helm-chart-0.3.2

superset-helm-chart-0.3.3

superset-helm-chart-0.3.4

superset-helm-chart-0.3.5

superset-helm-chart-0.3.6

superset-helm-chart-0.3.7

superset-helm-chart-0.3.8

superset-helm-chart-0.3.9

superset-helm-chart-0.4.0

superset-helm-chart-0.5.0

superset-helm-chart-0.5.1

superset-helm-chart-0.5.10

superset-helm-chart-0.5.2

superset-helm-chart-0.5.3

superset-helm-chart-0.5.4

superset-helm-chart-0.5.5

superset-helm-chart-0.5.6

superset-helm-chart-0.5.7

superset-helm-chart-0.5.8

superset-helm-chart-0.5.9

superset-helm-chart-0.6.0

superset-helm-chart-0.6.1

superset-helm-chart-0.6.2

superset-helm-chart-0.6.3

superset-helm-chart-0.6.4

superset-helm-chart-0.6.5

superset-helm-chart-0.6.6

superset-helm-chart-0.7.0

superset-helm-chart-0.7.1

superset-helm-chart-0.7.2

superset-helm-chart-0.7.3

superset-helm-chart-0.7.4

superset-helm-chart-0.7.6

superset-helm-chart-0.7.7

superset-helm-chart-0.8.0

superset-helm-chart-0.8.1

superset-helm-chart-0.8.10

superset-helm-chart-0.8.2

superset-helm-chart-0.8.3

superset-helm-chart-0.8.4

superset-helm-chart-0.8.5

superset-helm-chart-0.8.6

superset-helm-chart-0.8.7

superset-helm-chart-0.8.8

superset-helm-chart-0.8.9

superset-helm-chart-0.9.0

superset-helm-chart-0.9.1

superset-helm-chart-0.9.2

superset-helm-chart-0.9.3

superset-helm-chart-0.9.4

v2020.*

v2020.51.0

v2021.*

v2021.10.0

v2021.13.0

v2021.15.0

v2021.17.0

v2021.18.0

v2021.19.0

v2021.20.0

v2021.21.0

v2021.22.0

v2021.23.0

v2021.23.1

v2021.24.0

v2021.25.0

v2021.27.0

v2021.27.1

v2021.29.0

v2021.3.0

v2021.31.0

v2021.34.0

v2021.35.0

v2021.36.0

v2021.36.5

v2021.38.0

v2021.40.0

v2021.41.0

v2021.5.0

v2021.5.1

v2021.6.0

v2021.7.0

v2021.8.0

v2021.9.0

v2021.9.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55672.json"