Qlik
Products
11- 6 CVEs
- 6 CVEs
- 6 CVEs
- 5 CVEs
- 4 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
33| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-6264 | Cri | 0.64 | 9.8 | 0.01 | Apr 14, 2026 | A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by… | ||
| CVE-2024-55579 | Hig | 0.57 | 8.8 | 0.00 | Dec 9, 2024 | An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February… | ||
| CVE-2024-36077 | Hig | 0.57 | 8.8 | 0.01 | May 22, 2024 | Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024… | ||
| CVE-2026-9057 | Hig | 0.53 | 8.2 | 0.00 | May 20, 2026 | A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available. | ||
| CVE-2024-29863 | Hig | 0.51 | 7.8 | 0.00 | Apr 5, 2024 | A race condition in the installer executable in Qlik Qlikview before versions May 2022 SR3 (12.70.20300) and May 2023 SR2 (12,80.20200) may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator. | ||
| CVE-2024-55580 | Hig | 0.49 | 7.5 | 0.00 | Dec 9, 2024 | An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. Unprivileged users with network access may be able to execute remote commands that could cause high availability damages, including high integrity and confidentiality risks. This is fixed in… | ||
| CVE-2020-36994 | Med | 0.40 | 6.2 | 0.00 | Jan 29, 2026 | QlikView 12.50.20000.0 contains a denial of service vulnerability in the FTP server address input field that allows local attackers to crash the application. Attackers can paste a 300-character buffer into the FTP server address field to trigger an application crash and prevent… | ||
| CVE-2026-9056 | Med | 0.35 | 5.4 | 0.00 | May 20, 2026 | A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user. | ||
| CVE-2023-41266 | 0.26 | — | 0.85 | KEV | Aug 29, 2023 | A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate… | ||
| CVE-2023-41265 | 0.25 | — | 0.85 | KEV | Aug 29, 2023 | An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their… | ||
| CVE-2023-48365 | 0.22 | — | 0.25 | KEV | Nov 15, 2023 | Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP… | ||
| CVE-2015-3623 | 0.04 | — | 0.16 | Sep 16, 2015 | XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx. | |||
| CVE-2025-61138 | 0.00 | — | 0.00 | Nov 20, 2025 | Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory. | |||
| CVE-2023-36301 | 0.00 | — | 0.01 | Jun 26, 2023 | Talend Data Catalog before 8.0-20230221 contain a directory traversal vulnerability in HeaderImageServlet. | |||
| CVE-2023-33247 | 0.00 | — | 0.00 | May 26, 2023 | Talend Data Catalog remote harvesting server before 8.0-20230413 contains a /upgrade endpoint that allows an unauthenticated WAR file to be deployed on the server. (A mitigation is that the remote harvesting server should be behind a firewall that only allows access to the… | |||
| CVE-2023-31444 | 0.00 | — | 0.01 | Apr 28, 2023 | In Talend Studio before 7.3.1-R2022-10 and 8.x before 8.0.1-R2022-09, microservices allow unauthenticated access to the Jolokia endpoint of the microservice. This allows for remote access to the JVM via the Jolokia JMX-HTTP bridge. | |||
| CVE-2023-26264 | 0.00 | — | 0.00 | Apr 13, 2023 | All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. | |||
| CVE-2023-26263 | 0.00 | — | 0.00 | Apr 13, 2023 | All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. | |||
| CVE-2022-42248 | 0.00 | — | 0.00 | Mar 6, 2023 | QlikView 12.60.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the QvsViewClient functionality. | |||
| CVE-2022-45589 | 0.00 | — | 0.01 | Feb 6, 2023 | All versions before 8.0.1-R2022-10-RT and 7.3.1-R2022-09-RT of the Talend ESB Runtime are potentially vulnerable to SQL Injection attacks in the provisioning service only. Users of the provisioning service should upgrade to either 8.0.1-R2022-10-RT or 7.3.1-R2022-09-RT or a… |
- risk 0.64cvss 9.8epss 0.01
A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by…
- risk 0.57cvss 8.8epss 0.00
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February…
- risk 0.57cvss 8.8epss 0.01
Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024…
- risk 0.53cvss 8.2epss 0.00
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available.
- risk 0.51cvss 7.8epss 0.00
A race condition in the installer executable in Qlik Qlikview before versions May 2022 SR3 (12.70.20300) and May 2023 SR2 (12,80.20200) may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator.
- risk 0.49cvss 7.5epss 0.00
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. Unprivileged users with network access may be able to execute remote commands that could cause high availability damages, including high integrity and confidentiality risks. This is fixed in…
- risk 0.40cvss 6.2epss 0.00
QlikView 12.50.20000.0 contains a denial of service vulnerability in the FTP server address input field that allows local attackers to crash the application. Attackers can paste a 300-character buffer into the FTP server address field to trigger an application crash and prevent…
- risk 0.35cvss 5.4epss 0.00
A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user.
- risk 0.26cvss —epss 0.85
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate…
- risk 0.25cvss —epss 0.85
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their…
- risk 0.22cvss —epss 0.25
Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP…
- CVE-2015-3623Sep 16, 2015risk 0.04cvss —epss 0.16
XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx.
- CVE-2025-61138Nov 20, 2025risk 0.00cvss —epss 0.00
Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory.
- CVE-2023-36301Jun 26, 2023risk 0.00cvss —epss 0.01
Talend Data Catalog before 8.0-20230221 contain a directory traversal vulnerability in HeaderImageServlet.
- CVE-2023-33247May 26, 2023risk 0.00cvss —epss 0.00
Talend Data Catalog remote harvesting server before 8.0-20230413 contains a /upgrade endpoint that allows an unauthenticated WAR file to be deployed on the server. (A mitigation is that the remote harvesting server should be behind a firewall that only allows access to the…
- CVE-2023-31444Apr 28, 2023risk 0.00cvss —epss 0.01
In Talend Studio before 7.3.1-R2022-10 and 8.x before 8.0.1-R2022-09, microservices allow unauthenticated access to the Jolokia endpoint of the microservice. This allows for remote access to the JVM via the Jolokia JMX-HTTP bridge.
- CVE-2023-26264Apr 13, 2023risk 0.00cvss —epss 0.00
All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code.
- CVE-2023-26263Apr 13, 2023risk 0.00cvss —epss 0.00
All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.
- CVE-2022-42248Mar 6, 2023risk 0.00cvss —epss 0.00
QlikView 12.60.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the QvsViewClient functionality.
- CVE-2022-45589Feb 6, 2023risk 0.00cvss —epss 0.01
All versions before 8.0.1-R2022-10-RT and 7.3.1-R2022-09-RT of the Talend ESB Runtime are potentially vulnerable to SQL Injection attacks in the provisioning service only. Users of the provisioning service should upgrade to either 8.0.1-R2022-10-RT or 7.3.1-R2022-09-RT or a…