Headline
GHSA-fj97-2v9x-w5m4: Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset’s chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column’s label. The payload is not properly sanitized and gets executed in the victim’s browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-55672
Apache Superset’s chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
Moderate severity GitHub Reviewed Published Aug 14, 2025 to the GitHub Advisory Database • Updated Aug 14, 2025
Package
pip apache-superset (pip)
Affected versions
< 5.0.0
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset’s chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column’s label. The payload is not properly sanitized and gets executed in the victim’s browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.
This issue affects Apache Superset: before 5.0.0.
Users are recommended to upgrade to version 5.0.0, which fixes the issue.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-55672
- https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj
Published to the GitHub Advisory Database
Aug 14, 2025
Last updated
Aug 14, 2025