An authenticated attacker with write CSS template permissions can create a record with specific HTML tags that will not get properly escaped by the toast message displayed when a user deletes that specific CSS template record. This issue affects Apache Superset version 1.5.2 and prior versions and version 2.0.0.

Affected Packages

PyPI apache-superset

Affected versions: 0 (last affected: 1.5.2)

PyPI apache-superset

Related CVEs

CVE-2022-43720

Key Information

GHSA ID

GHSA-fpmr-qmgh-42x2

Published

January 16, 2023 12:30 PM

Last Modified

January 24, 2023 6:53 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

apache-superset

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.