Exploitation Summary
EIP tracks 2 public exploits for CVE-2026-23980. PoCs published by oscar-mine, oscarmine.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-23980, an authenticated SQL injection vulnerability in Apache Superset < 6.0.0. The exploit leverages PostgreSQL XML functions to bypass validation and perform error-based SQL injection via the `sqlExpression` or `where` parameters in the `/api/v1/chart/data` endpoint.
Description
Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue.
Exploits (2)
This repository contains a functional exploit for CVE-2026-23980, an authenticated SQL injection vulnerability in Apache Superset < 6.0.0. The exploit leverages PostgreSQL XML functions to bypass validation and perform error-based SQL injection via the `sqlExpression` or `where` parameters in the `/api/v1/chart/data` endpoint.
This repository contains a functional exploit for CVE-2026-23980, an authenticated SQL injection vulnerability in Apache Superset < 6.0.0. The exploit leverages PostgreSQL XML functions to bypass validation and perform error-based SQL injection via the `sqlExpression` or `where` parameters in the `/api/v1/chart/data` endpoint.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N