CVE-2026-23980
published 2026-02-24CVE-2026-23980: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read…
medium5.3CVSS 4.0
AVNACLATNPRLUINVCLVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.
This issue affects Apache Superset: before 6.0.0.
Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | superset | < 6.0.0 | 6.0.0 |
| apache_software_foundation | apache_superset | >= 0.0.0 < 6.0.0 | 6.0.0 |