PYSEC-2026-1176

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1176.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1176
Aliases
Published
2026-07-07T16:03:01.231Z
Modified
2026-07-07T17:56:48.963789723Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
Details

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

References

Affected packages

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.0

Affected versions

0.*
0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
2.*
2.0.0
2.0.1
2.1.0
2.1.1rc1
2.1.1rc2
2.1.1rc3
2.1.1
2.1.2
2.1.3
3.*
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0rc1
3.1.0rc2
3.1.0rc3
3.1.0rc4
3.1.0
3.1.1
3.1.2
3.1.3
4.*
4.0.0rc1
4.0.0rc2
4.0.0
4.0.1
4.0.2
4.1.0rc2
4.1.0rc3
4.1.0rc4
4.1.0
4.1.1rc1
4.1.1
4.1.2rc1
4.1.2
4.1.3rc1
4.1.3rc2
4.1.3.post1
4.1.4rc1
4.1.4
5.*
5.0.0rc1
5.0.0rc2
5.0.0rc3
5.0.0rc4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1176.yaml"