Publish Advisories

GHSA-3m2g-v7jf-7fxc
GHSA-48m2-v2r8-h23m
GHSA-gvxg-9hqx-f4rg
GHSA-h294-8fxm-m2pj
GHSA-mwf2-qr4v-94h2

Author: advisory-database[bot]

…-3m2g-v7jf-7fxc/GHSA-3m2g-v7jf-7fxc.json …-3m2g-v7jf-7fxc/GHSA-3m2g-v7jf-7fxc.jsonadvisories/unreviewed/2026/02/GHSA-3m2g-v7jf-7fxc/GHSA-3m2g-v7jf-7fxc.json renamed to advisories/github-reviewed/2026/02/GHSA-3m2g-v7jf-7fxc/GHSA-3m2g-v7jf-7fxc.json advisories/unreviewed/2026/02/GHSA-3m2g-v7jf-7fxc/GHSA-3m2g-v7jf-7fxc.json renamed to advisories/github-reviewed/2026/02/GHSA-3m2g-v7jf-7fxc/GHSA-3m2g-v7jf-7fxc.json

@@ -1,28 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3m2g-v7jf-7fxc",
-  "modified": "2026-02-25T15:31:37Z",
+  "modified": "2026-02-26T15:28:38Z",
   "published": "2026-02-24T15:30:30Z",
   "aliases": [
     "CVE-2026-23982"
   ],
+  "summary": "Apache Superset Improper Authorization allows low-privileged users to bypass access controls ",
   "details": "An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
-    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-superset"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23982"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/superset"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/9lvbzwkw4rxgdvbpfvnnnfcll92v75fp"
@@ -37,8 +58,8 @@
       "CWE-863"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T15:28:38Z",
     "nvd_published_at": "2026-02-24T14:16:22Z"
   }
 }

…-48m2-v2r8-h23m/GHSA-48m2-v2r8-h23m.json …-48m2-v2r8-h23m/GHSA-48m2-v2r8-h23m.jsonadvisories/unreviewed/2026/02/GHSA-48m2-v2r8-h23m/GHSA-48m2-v2r8-h23m.json renamed to advisories/github-reviewed/2026/02/GHSA-48m2-v2r8-h23m/GHSA-48m2-v2r8-h23m.json advisories/unreviewed/2026/02/GHSA-48m2-v2r8-h23m/GHSA-48m2-v2r8-h23m.json renamed to advisories/github-reviewed/2026/02/GHSA-48m2-v2r8-h23m/GHSA-48m2-v2r8-h23m.json

@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-48m2-v2r8-h23m",
-  "modified": "2026-02-24T21:31:45Z",
+  "modified": "2026-02-26T15:28:10Z",
   "published": "2026-02-24T15:30:30Z",
   "aliases": [
     "CVE-2026-23969"
   ],
+  "summary": "Apache Superset: Incomplete DISALLOWED_SQL_FUNCTIONS default list for ClickHouse engine",
   "details": "Apache Superset utilizes a configurable dictionary, DISALLOWED_SQL_FUNCTIONS, to restrict the execution of potentially sensitive SQL functions within SQL Lab and charts. While this feature included restrictions for engines like PostgreSQL, a vulnerability was reported where the default list for the ClickHouse engine was incomplete.\n\nThis issue affects Apache Superset: before 4.1.2.\n\nUsers are recommended to upgrade to version 4.1.2, which fixes the issue.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-superset"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.1.2"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23969"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/superset"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/2q22sp4oj3krcgdkxchhtht0vgwp2wnd"
@@ -33,8 +58,8 @@
       "CWE-89"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T15:28:10Z",
     "nvd_published_at": "2026-02-24T14:16:22Z"
   }
 }

…-gvxg-9hqx-f4rg/GHSA-gvxg-9hqx-f4rg.json …-gvxg-9hqx-f4rg/GHSA-gvxg-9hqx-f4rg.jsonadvisories/unreviewed/2026/02/GHSA-gvxg-9hqx-f4rg/GHSA-gvxg-9hqx-f4rg.json renamed to advisories/github-reviewed/2026/02/GHSA-gvxg-9hqx-f4rg/GHSA-gvxg-9hqx-f4rg.json advisories/unreviewed/2026/02/GHSA-gvxg-9hqx-f4rg/GHSA-gvxg-9hqx-f4rg.json renamed to advisories/github-reviewed/2026/02/GHSA-gvxg-9hqx-f4rg/GHSA-gvxg-9hqx-f4rg.json

@@ -1,28 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gvxg-9hqx-f4rg",
-  "modified": "2026-02-25T15:31:37Z",
+  "modified": "2026-02-26T15:28:27Z",
   "published": "2026-02-24T15:30:30Z",
   "aliases": [
     "CVE-2026-23980"
   ],
+  "summary": "Apache Superset allows privileged users to conduct error-based SQL Injection",
   "details": "Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
-    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-superset"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23980"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/superset"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4"
@@ -37,8 +58,8 @@
       "CWE-89"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T15:28:27Z",
     "nvd_published_at": "2026-02-24T14:16:22Z"
   }
 }

…-h294-8fxm-m2pj/GHSA-h294-8fxm-m2pj.json …-h294-8fxm-m2pj/GHSA-h294-8fxm-m2pj.jsonadvisories/unreviewed/2026/02/GHSA-h294-8fxm-m2pj/GHSA-h294-8fxm-m2pj.json renamed to advisories/github-reviewed/2026/02/GHSA-h294-8fxm-m2pj/GHSA-h294-8fxm-m2pj.json advisories/unreviewed/2026/02/GHSA-h294-8fxm-m2pj/GHSA-h294-8fxm-m2pj.json renamed to advisories/github-reviewed/2026/02/GHSA-h294-8fxm-m2pj/GHSA-h294-8fxm-m2pj.json

@@ -1,28 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h294-8fxm-m2pj",
-  "modified": "2026-02-25T15:31:37Z",
+  "modified": "2026-02-26T15:28:47Z",
   "published": "2026-02-24T15:30:30Z",
   "aliases": [
     "CVE-2026-23983"
   ],
+  "summary": "Apache Superset allows authenticated users to view sensitive data without explicit permissions",
   "details": "A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint (disabled by default) allows users to retrieve a list of objects associated with a specific tag.\nWhen these associated objects include Users, the API response improperly serializes and returns sensitive fields, including password hashes (pbkdf2), email addresses, and login statistics. This vulnerability allows authenticated users with low privileges (e.g., Gamma role) to view sensitive authentication data \n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue or make sure TAGGING_SYSTEM is False (Apache Superset current default)",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
-    },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-superset"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23983"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/superset"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/62mgbc5hc8026skp69kb6vqozj3pr5ww"
@@ -37,8 +58,8 @@
       "CWE-200"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T15:28:47Z",
     "nvd_published_at": "2026-02-24T14:16:23Z"
   }
 }

…-mwf2-qr4v-94h2/GHSA-mwf2-qr4v-94h2.json …-mwf2-qr4v-94h2/GHSA-mwf2-qr4v-94h2.jsonadvisories/unreviewed/2026/02/GHSA-mwf2-qr4v-94h2/GHSA-mwf2-qr4v-94h2.json renamed to advisories/github-reviewed/2026/02/GHSA-mwf2-qr4v-94h2/GHSA-mwf2-qr4v-94h2.json advisories/unreviewed/2026/02/GHSA-mwf2-qr4v-94h2/GHSA-mwf2-qr4v-94h2.json renamed to advisories/github-reviewed/2026/02/GHSA-mwf2-qr4v-94h2/GHSA-mwf2-qr4v-94h2.json

@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mwf2-qr4v-94h2",
-  "modified": "2026-02-24T21:31:45Z",
+  "modified": "2026-02-26T15:29:01Z",
   "published": "2026-02-24T15:30:30Z",
   "aliases": [
     "CVE-2026-23984"
   ],
+  "summary": "Apache Superset: Read-Only Bypass via Improper Input Validation on PostgreSQL Connections",
   "details": "An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection.\nWhile the system effectively blocks standard Data Manipulation Language (DML) statements (e.g., INSERT, UPDATE, DELETE) on read-only connections, it fails to detect them in specially crafted SQL statements.\n\nThis issue affects Apache Superset: before 6.0.0.\n\nUsers are recommended to upgrade to version 6.0.0, which fixes the issue.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-superset"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23984"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/superset"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/72cmgxtvp9pclto4ln1chbs1227nwd26"
@@ -30,11 +55,12 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-200",
       "CWE-863"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T15:29:00Z",
     "nvd_published_at": "2026-02-24T14:16:23Z"
   }
 }