apache_superset is vulnerable to remote code execution (RCE). Failure to validate a number of templated text fields allows an authenticated user to send malicious requests and gain access to Pythons os
package in the web application process and access files, environment variables and process information. Setting of environment variables for the current process, creating and updating files in folders writable by the web process and executing arbitrary programs accessible by the web process are also possible.
lists.apache.org/thread.html/r0e35c7c5672a6146b962840be5c1a7b7461c05a71cd7ecc62774d155@%3Cnotifications.superset.apache.org%3E
lists.apache.org/thread.html/r4fc7115f6e63ac255c48fc68c0da592df55fe4be47cae6378d39ac22@%3Cnotifications.superset.apache.org%3E
lists.apache.org/thread.html/rdeee068ac1e0c43bd5b69830240f30598df15a2ef9f7998c7b29131e%40%3Cdev.superset.apache.org%3E