Back to Vulnerability List

Apache Software Foundation: Apache Superset: Stored Cross-Site Scripting

CVE-2023-49657 Critical Published

CVSS

9.6 Critical · Network · Low PR

EPSS

0.00399 0.4% chance of exploit in 30d

CWE

CWE-79 Cross-site Scripting

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Summary

Per NVD: “A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS.”

Affected Packages / Versions

Package: apache-superset (—)
Latest published version at triage time: Prior to 3.0.3
Affected range: Apache Superset < 3.0.3 (per NVD)
Patched version: Apache Superset 3.0.3

Impact

Per NVD scope is changed (S:C) — payloads execute in another user’s context. Specific outcomes (admin session theft, data exfiltration) follow from XSS in an authenticated analytics tool but are not spelled out in the NVD description.

Severity Rationale

NVD CVSS 9.6 (Critical): network AV, low complexity, low privileges (create/update on charts or dashboards), no UI, scope-changing, full confidentiality and integrity impact.

Fix

Per NVD, upgrade to Apache Superset 3.0.3` or later. NVD also notes a TALISMAN_CONFIG` content-security-policy hardening that 2.x users can apply as a workaround.

Disclosure timeline

TBDReported to vendor
TBDPatch released (Superset 3.0.3)
TBDPublic disclosure

Fix Commit(s)

See apache/superset 3.0.3 changelog

References

Discovered by Praetorian Labs (per cve-research listing) · Published April 29, 2026

Praetorian Guard Platform

Penetration Testing Services

Advanced Offensive Security

Continuous Offensive Security

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian