CVE-2025-55672 MEDIUM

CVE-2025-55672: Apache Superset: Stored XSS on charts metadata

Vendor Apache Software Foundation

Product Apache Superset

Weakness CWE-80 · XSS · basic

Published August 14, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Key dates

Disclosure timeline

August 14, 2025 CVE published

November 4, 2025 Record updated