Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user.
AnalysisAI
Stored cross-site scripting in Qlik Talend Administration Center allows an authenticated user holding server management permissions to inject persistent malicious script payloads that execute in the browsers of other TAC users who subsequently view the affected content. The CVSS Changed scope (S:C) signals that successful exploitation crosses security boundaries beyond the application itself, enabling impact on victim browser sessions. No public exploit code identified at time of analysis, no CISA KEV listing, but Qlik has published a security fix via their official support community.
Technical ContextAI
Talend Administration Center (now distributed under the Qlik brand following acquisition) is a web-based management console for orchestrating Talend data integration jobs and server infrastructure. The vulnerability is a stored (persistent) XSS flaw: user-supplied input submitted through the server management interface is not adequately sanitized or output-encoded before being stored and subsequently rendered back to other users' browsers. This allows injected script to execute in a victim's browser session under the TAC application's origin. The CVSS vector's Changed scope (S:C) reflects that the exploited component (the TAC server-side storage) differs from the impacted component (the victim's browser), a hallmark of stored XSS. The CPE string cpe:2.3:a:talend:talend_administration_center:*:*:*:*:*:*:*:* uses a full wildcard on version, meaning NVD has not bounded the affected version range - exact versions must be obtained from the vendor advisory. No CWE was assigned in source data, though CWE-79 (Improper Neutralization of Input During Web Page Generation) is the standard classification for this vulnerability class.
RemediationAI
Apply the security fix documented in the Qlik Official Support Article at https://community.qlik.com/t5/Official-Support-Articles/Security-fix-for-Qlik-Talend-Administration-Center-cross-site/ta-p/2548522. The exact patched version number is not confirmed from the available NVD or CPE data - retrieve the specific fix version from the Qlik advisory before planning upgrades. As a compensating control pending patching, restrict the 'manage servers' permission to the smallest feasible set of trusted accounts, directly reducing the pool of principals capable of injecting a stored payload; note this may impact operational workflows if server management is broadly delegated. Deploying a strict Content Security Policy (CSP) header on the TAC web interface to limit script execution to trusted origins would reduce the effective blast radius of any pre-existing stored payloads, though CSP configuration requires testing to avoid breaking legitimate TAC functionality. Enable audit logging on server configuration changes within TAC to detect anomalous payload-like entries as a detection measure.
More in Talend Administration Center
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31060
GHSA-j786-w88h-3h53