CVE-2023-39265
LOW EXPLOITEDApache Superset < 2.1.0 - Improper Input Validation
Title source: ruleDescription
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using a SQLite database for its metadata (not advised for production use) it could result in more severe vulnerabilities related to confidentiality and integrity. This vulnerability exists in Apache Superset versions up to and including 2.1.0.
Exploits (1)
metasploit
WORKING POC
GOOD
by h00die, paradoxis, Spencer McIntyre, Naveen Sunkavally · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb
Scores
CVSS v3
3.8
EPSS
0.7414
EPSS Percentile
98.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Details
VulnCheck KEV
2025-08-12
CWE
CWE-20
Status
published
Products (2)
apache/superset
< 2.1.0
pypi/apache-superset
0PyPI
Published
Sep 06, 2023
Tracked Since
Feb 18, 2026