CVE-2025-55672

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user.

This issue affects Apache Superset: before 5.0.0.

Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Published: Aug 14, 2025
Updated: Nov 10, 2025
CVE: CVE-2025-55672
GHSA: GHSA-fj97-2v9x-w5m4
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-80

Affected Software
References

Software	From	Fixed in
apache-superset	-	5.0.0
apache / superset	-	5.0.0

http://www.openwall.com/lists/oss-security/2025/08/14/4
https://lists.apache.org/thread/rvh7fdjfzxzjhcfwoz7twc2brhvochdj

Vulnerability Database

CVE-2025-55672

Deep Security Visibility Without the Complexity