anonhaven
Ad

CVE-2026-23980

MEDIUM CVSS 4.0: 5.3 EPSS 0.03%
Updated Feb 25, 2026
Apache
Parameter Value
CVSS 5.3 (MEDIUM)
Affected Versions before 6.0.0
Fixed In 6.0.0
Type CWE-89 (SQL Injection)
Vendor Apache
Public PoC No

Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-89 SQL Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Apache Superset
cpe:2.3:a:apache:superset:*:*:*:*:*:*:*:*
 6.0.0

References 2

https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4
security@apache.org
http://www.openwall.com/lists/oss-security/2026/02/24/5
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-25219

Apache

6.5

CVE-2025-54550

Apache

8.1

CVE-2026-31924

Apache

5.3

CVE-2026-31923

Apache

7.5

CVE-2026-31908

Apache

9.1