Vulnerability Description
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Superset | < 5.0.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdjMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/08/14/4
FAQ
What is CVE-2025-55672?
CVE-2025-55672 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's ...
How severe is CVE-2025-55672?
CVE-2025-55672 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55672?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Superset.