CVE-2026-23980NVD

Vulnerability Summary

Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters.

This issue affects Apache Superset: before 6.0.0.

Users are recommended to upgrade to version 6.0.0, which fixes the issue.

Severity Level

MEDIUM(5.3)

Published Date

Feb 24, 2026

Last Modified

Feb 24, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.03%Probability

Root Weakness (CWE)

CWE-89: SQL Injection ↗

Improper neutralization of special elements used in an SQL command, allowing attackers to modify queries.

CVSS v4.0 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

External References

https://lists.apache.org/thread/h4l02zw1pr2vywv0dc5zjn3grdcdhwf4

Critical Alert

CVE Watchtower

CVE-2026-23980NVD

Vulnerability Summary

External References