CVE-2026-9056

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Qlik Talend Administration Center. An attacker who has been granted permission to manage servers can inject a malicious script payload that is stored on the server. When a different user views the affected page, the script executes in the context of that user's browser. All versions of Qlik Talend Administration Center before patch QTAC-1883 (cumulative patch R2026-01_v1-8.0.1) are affected [1].

Exploitation

An attacker must have a valid account with the manage servers permission in the Talend Administration Center. The attacker then stores a crafted XSS payload via the server management interface. No additional user interaction is required during the storage step. The malicious script is later triggered automatically when another authenticated user navigates to the page that renders the stored payload [1].

Impact

A successful attack leads to client-side script execution in the context of the victim's session. The CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N indicates limited confidentiality and integrity impact — an attacker could steal session tokens or perform actions on behalf of the victim. The scope is changed because the vulnerable component (server) and the impacted component (victim's browser) are different [1].

Mitigation

Qlik Talend Administration Center patch QTAC-1883, released on January 23, 2026, fixes the vulnerability. Customers should upgrade to this patch or any later version as soon as possible [1]. No workarounds are described in the available reference.