2025-08-14 13:17:33
apache
PUBLISHED
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Supersets chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a columns label. The payload is not properly sanitized and gets executed in the victims browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.