Skip to main content

Tableau Server

17 CVEs product

Monthly

CVE-2025-52451 HIGH This Month

Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal.1.3, before 2024.2.12,. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Path Traversal Tableau Server Windows
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-52450 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (abdoc api - create-data-source-from-file-upload modules). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Path Traversal Tableau Server Windows
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-26498 HIGH This Week

Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal.1.3, before. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Microsoft Path Traversal Tableau Server Windows
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-26497 HIGH This Week

Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows Absolute Path Traversal.1.3, before 2024.2.12, before. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Microsoft Path Traversal Tableau Server Windows
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-26496 CRITICAL Act Now

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Server, Tableau Desktop on Windows, Linux (File Upload modules) allows Local Code Inclusion.1.3,. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption File Upload Microsoft Tableau Server Windows +1
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-52454 HIGH This Week

Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side Request Forgery attacks through the Amazon S3 Connector module, enabling resource location spoofing that could result in unauthorized access to internal systems and data exfiltration. Versions before 2025.1.3, 2024.2.12, and 2023.3.19 are affected. EPSS score of 0.04% (12th percentile) indicates minimal observed exploitation activity, and no public exploit has been identified at time of analysis.

Salesforce SSRF Windows Linux AWS +1
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-26495 HIGH This Week

Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.1.3, before 2021.4.8, before 2021.3.13,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tableau Server
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-26494 HIGH This Month

Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.3 through 2023.3.5. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Authentication Bypass Tableau Server
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2022-22128 CRITICAL Act Now

Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s internal file transfer service that could allow remote code execution.Tableau only supports product. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Tableau Server
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-22127 HIGH This Week

Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity Store for managing users. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Tableau Server
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2021-1629 MEDIUM POC This Month

Tableau Server fails to validate certain URLs that are embedded in emails sent to Tableau Server users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Tableau Server
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2020-6939 CRITICAL Act Now

Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Tableau Server
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-6938 HIGH This Week

A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow access to sensitive information in log files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tableau Server
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2019-19719 MEDIUM This Month

Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Microsoft Tableau Server
NVD
CVSS 3.1
6.1
EPSS
22.0%
CVE-2019-15637 HIGH POC THREAT This Week

Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Information Disclosure Tableau Server Tableau Desktop Tableau Reader +1
NVD GitHub Exploit-DB
CVSS 3.1
8.1
EPSS
14.3%
CVE-2017-5178 CRITICAL Act Now

An issue was discovered in Schneider Electric Tableau Server/Desktop Versions 7.0 to 10.1.3 in Wonderware Intelligence Versions 2014R3 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Schneider Electric Tableau Desktop Tableau Server +1
NVD
CVSS 3.0
9.8
EPSS
1.9%
CVE-2014-1204 HIGH POC This Week

SQL injection vulnerability in Tableau Server 8.0.x before 8.0.7 and 8.1.x before 8.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Tableau Server
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
2.3%
EPSS 0% CVSS 8.5
HIGH This Month

Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal.1.3, before 2024.2.12,. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Microsoft Path Traversal Tableau Server +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (abdoc api - create-data-source-from-file-upload modules). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Path Traversal Tableau Server +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal.1.3, before. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Microsoft Path Traversal +2
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows Absolute Path Traversal.1.3, before 2024.2.12, before. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload Microsoft Path Traversal +2
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Server, Tableau Desktop on Windows, Linux (File Upload modules) allows Local Code Inclusion.1.3,. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption File Upload Microsoft +3
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Salesforce Tableau Server on Windows and Linux allows authenticated attackers with low privileges to conduct Server-Side Request Forgery attacks through the Amazon S3 Connector module, enabling resource location spoofing that could result in unauthorized access to internal systems and data exfiltration. Versions before 2025.1.3, 2024.2.12, and 2023.3.19 are affected. EPSS score of 0.04% (12th percentile) indicates minimal observed exploitation activity, and no public exploit has been identified at time of analysis.

Salesforce SSRF Windows +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into logging repositories.1.3, before 2021.4.8, before 2021.3.13,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tableau Server
NVD
EPSS 0% CVSS 7.7
HIGH This Month

Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.3 through 2023.3.5. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Authentication Bypass Tableau Server
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s internal file transfer service that could allow remote code execution.Tableau only supports product. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Tableau Server
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity Store for managing users. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Tableau Server
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Tableau Server fails to validate certain URLs that are embedded in emails sent to Tableau Server users. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Tableau Server
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Tableau Server
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow access to sensitive information in log files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Tableau Server
NVD
EPSS 22% CVSS 6.1
MEDIUM This Month

Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Microsoft Tableau Server
NVD
EPSS 14% CVSS 8.1
HIGH POC THREAT This Week

Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a DoS. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XXE Information Disclosure Tableau Server +3
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Schneider Electric Tableau Server/Desktop Versions 7.0 to 10.1.3 in Wonderware Intelligence Versions 2014R3 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Schneider Electric +3
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability in Tableau Server 8.0.x before 8.0.7 and 8.1.x before 8.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Tableau Server
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy