Vulnerability CVE-2023-49736
Published: 2023-12-19

Description:
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2.

Users are recommended to upgrade to version 3.0.2, which fixes the issue.

Type:

CWE-89

 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

 References:
https://lists.apache.org/thread/1kf481bgs3451qcz6hfhobs7xvhp8n1p
Copyright 2026, cxsecurity.com

 

Back to Top