CVE-2024-41937

CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link

Vendor Apache Software Foundation

Product Apache Airflow

Weakness CWE-79 · XSS

Published August 21, 2024

Last update March 20, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and the user to click the provider link. Users should upgrade to 2.10.0 or later, which fixes this vulnerability.

Key dates

Disclosure timeline

August 21, 2024 CVE published

March 20, 2025 Record updated