Skip to main content

Spotfire Enterprise EUVDEUVD-2026-43678

| CVE-2026-8590 HIGH
2026-07-14 Spotfire GHSA-q55h-7282-gq6q
8.7
CVSS 4.0 · Vendor: Spotfire
Share

Severity by source

Vendor (Spotfire) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.3 HIGH

Network-reachable and unauthenticated (AV:N/PR:N) but gated by required user interaction (UI:R); high confidentiality/integrity and low availability impact per the vendor 4.0 vector, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Spotfire).

CVSS VectorVendor: Spotfire

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 14:45 vuln.today
CVE Published
Jul 14, 2026 - 13:49 cve.org
HIGH 8.7

DescriptionCVE.org

Vulnerability in Spotfire Spotfire Enterprise (Spotfire Server modules), Spotfire Spotfire Enterprise with External Consumers (Spotfire Server modules), Spotfire Spotfire on Kubernetes (Spotfire Server modules).

This issue affects Spotfire Enterprise: through 14.0.12, through 14.4.2, through 14.5.0, through 14.6.1, through 14.6.2, through 14.7.0, through 14.8.0; Spotfire Enterprise with External Consumers: through 14.0.12, through 14.5.0, through 14.6.0, through 14.6.1, through 14.6.2, through 14.7.0, through 14.8.0; Spotfire on Kubernetes: through 4.2.0, 5.0.X, 6.0.X.

AnalysisAI

Information disclosure with integrity impact in the Spotfire Server modules of Spotfire Enterprise, Spotfire Enterprise with External Consumers, and Spotfire on Kubernetes allows a remote, unauthenticated attacker to obtain sensitive data and alter server-side state once a victim is lured into a passive interaction (UI:P), such as opening a crafted link or analysis. The CVSS 4.0 base score is 8.7 (High) with high confidentiality and integrity impact and low availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Spotfire Server
Delivery
Craft malicious link or analysis content
Exploit
Deliver to legitimate user
Execution
Victim opens crafted content (UI:P)
Persist
Server processes attacker input
Impact
Disclose sensitive data and tamper with state

Vulnerability AssessmentAI

Exploitation Exploitation requires no authentication (PR:N) and no elevated privileges, but is gated by passive user interaction (UI:P): a legitimate user must be induced to perform an action such as opening a crafted link or loading attacker-supplied content served through the network-reachable Spotfire Server web interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P) describes a network-reachable, low-complexity, unauthenticated flaw whose only meaningful barrier is required passive user interaction (UI:P), yielding a High 8.7 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious link or analysis payload targeting an internet-facing Spotfire Server and delivers it to a legitimate user via email or a web page. When the victim opens it (the passive UI:P interaction), the server processes attacker-influenced content that leaks sensitive data and allows the attacker to tamper with server-side state. …
Remediation Patch available per vendor advisory: consult the Spotfire Security Advisory of July 14, 2026 (https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-july-14-2026-spotfire-cve-2026-8590-r3641/) and upgrade each product past its listed affected ceiling - Spotfire Enterprise and External Consumers builds beyond the 14.8.0 branch, and Spotfire on Kubernetes beyond the 4.2.0/5.0.X/6.0.X lines; exact fixed-version numbers are not provided in this dataset and must be confirmed from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Spotfire Server deployments, document current versions, and identify which instances are internet-facing or accessible to external users. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Share

EUVD-2026-43678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy