Stored XSS Vulnerability in Apache Superset Chart Metadata Allows Session Hijacking Before Version 5.0.0

A stored Cross-Site Scripting (XSS) vulnerability has been identified in Apache Superset's chart visualization component. The flaw allows an authenticated user with chart edit permissions to inject malicious code into column labels, which the application fails to sanitize before rendering. When other users interact with affected charts—specifically by hovering over them—the injected payload executes in their browsers, creating a pathway for session hijacking or execution of arbitrary commands on their behalf.

The attack vector relies on the trusted context of Superset's internal environment. Unlike reflected or self-XSS flaws, stored XSS persists in the application's data layer, meaning the malicious payload survives across sessions and affects any user who views the compromised visualization. This amplifies the risk significantly: a single compromised account with chart-editing rights can weaponize dashboards organization-wide. The vulnerability stems from insufficient sanitization of metadata associated with chart columns, an area where user input passes directly into the rendering pipeline without adequate validation.

The issue affects Apache Superset installations running versions prior to 5.0.0. The project maintainers have released version 5.0.0 as the patched release, recommending that administrators upgrade immediately. Organizations running Superset in shared or multi-tenant environments should treat this as a high-priority update given the potential for lateral movement and credential exposure through session cookies. Until patches are applied, limiting chart-editing permissions to a trusted subset of users may reduce exposure but does not eliminate the underlying flaw.