Skip to main content

Talend Administration Center CVE-2026-9056

| EUVDEUVD-2026-31060 MEDIUM
2026-05-20 Bugcrowd GHSA-j786-w88h-3h53
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 05:17 vuln.today

DescriptionCVE.org

A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user.

AnalysisAI

Stored cross-site scripting in Qlik Talend Administration Center allows an authenticated user holding server management permissions to inject persistent malicious script payloads that execute in the browsers of other TAC users who subsequently view the affected content. The CVSS Changed scope (S:C) signals that successful exploitation crosses security boundaries beyond the application itself, enabling impact on victim browser sessions. No public exploit code identified at time of analysis, no CISA KEV listing, but Qlik has published a security fix via their official support community.

Technical ContextAI

Talend Administration Center (now distributed under the Qlik brand following acquisition) is a web-based management console for orchestrating Talend data integration jobs and server infrastructure. The vulnerability is a stored (persistent) XSS flaw: user-supplied input submitted through the server management interface is not adequately sanitized or output-encoded before being stored and subsequently rendered back to other users' browsers. This allows injected script to execute in a victim's browser session under the TAC application's origin. The CVSS vector's Changed scope (S:C) reflects that the exploited component (the TAC server-side storage) differs from the impacted component (the victim's browser), a hallmark of stored XSS. The CPE string cpe:2.3:a:talend:talend_administration_center:*:*:*:*:*:*:*:* uses a full wildcard on version, meaning NVD has not bounded the affected version range - exact versions must be obtained from the vendor advisory. No CWE was assigned in source data, though CWE-79 (Improper Neutralization of Input During Web Page Generation) is the standard classification for this vulnerability class.

RemediationAI

Apply the security fix documented in the Qlik Official Support Article at https://community.qlik.com/t5/Official-Support-Articles/Security-fix-for-Qlik-Talend-Administration-Center-cross-site/ta-p/2548522. The exact patched version number is not confirmed from the available NVD or CPE data - retrieve the specific fix version from the Qlik advisory before planning upgrades. As a compensating control pending patching, restrict the 'manage servers' permission to the smallest feasible set of trusted accounts, directly reducing the pool of principals capable of injecting a stored payload; note this may impact operational workflows if server management is broadly delegated. Deploying a strict Content Security Policy (CSP) header on the TAC web interface to limit script execution to trusted origins would reduce the effective blast radius of any pre-existing stored payloads, though CSP configuration requires testing to avoid breaking legitimate TAC functionality. Enable audit logging on server configuration changes within TAC to detect anomalous payload-like entries as a detection measure.

Share

CVE-2026-9056 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy