PYSEC-2026-1190

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1190.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1190
Aliases
Published
2026-07-07T11:45:27.631311Z
Modified
2026-07-07T17:56:23.215909234Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Apache Superset Cross-site Scripting vulnerability
Details

Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2.  Users are recommended to upgrade to version 2.1.2, which fixes this issue.

References

Affected packages

PyPI / apache-superset

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.2

Affected versions

0.*
0.34.0
0.34.1
0.35.1
0.35.2
0.36.0
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
1.*
1.0.0
1.0.1
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1
1.5.2
1.5.3
2.*
2.0.0
2.0.1
2.1.0
2.1.1rc1
2.1.1rc2
2.1.1rc3
2.1.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/apache-superset/PYSEC-2026-1190.yaml"