Tableau Tableau Server — known CVE vulnerabilities
Every CVE whose affected-product data names Tableau Tableau Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (22)
CVE-2022-22128 — CVSS 9.8 (critical): Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent’s internal file transfer service that…
CVE-2020-6939 — CVSS 9.8 (critical): Tableau Server installations configured with Site-Specific SAML that allows the APIs to be used by unauthenticated users. If exploited…
CVE-2025-26496 — CVSS 9.3 (critical): Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Server, Tableau Desktop on Windows, Linux…
CVE-2025-52449 — CVSS 8.5 (high): Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Extensible Protocol Service…
CVE-2025-52451 — CVSS 8.5 (high): Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload…
CVE-2025-52452 — CVSS 8.5 (high): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux…
CVE-2025-52454 — CVSS 8.2 (high): Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Amazon S3 Connector modules) allows…
CVE-2025-52453 — CVSS 8.2 (high): Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Data Source modules) allows Resource…
CVE-2025-52448 — CVSS 8.1 (high): Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api…
CVE-2019-15637 — CVSS 8.1 (high): Numerous Tableau products are vulnerable to XXE via a malicious workbook, extension, or data source, leading to information disclosure or a…
CVE-2025-52447 — CVSS 8.1 (high): Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (set-initial-sql tabdoc…
CVE-2025-52446 — CVSS 8.0 (high): Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (tab-doc api modules) allows…
CVE-2025-26494 — CVSS 7.7 (high): Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server allows Authentication Bypass.This issue affects Tableau…
CVE-2020-6938 — CVSS 7.5 (high): A sensitive information disclosure vulnerability in Tableau Server 10.5, 2018.x, 2019.x, 2020.x released before June 26, 2020, could allow…
CVE-2025-26495 — CVSS 7.5 (high): Cleartext Storage of Sensitive Information vulnerability in Salesforce Tableau Server can record the Personal Access Token (PAT) into…
CVE-2025-26498 — CVSS 7.3 (high): Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo…
CVE-2025-26497 — CVSS 7.3 (high): Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows…
CVE-2022-22127 — CVSS 7.2 (high): Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server customers using Local Identity…
CVE-2025-52450 — CVSS 6.5 (medium): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux…
CVE-2021-1629 — CVSS 6.1 (medium): Tableau Server fails to validate certain URLs that are embedded in emails sent to Tableau Server users.
CVE-2019-19719 — CVSS 6.1 (medium): Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2025-52455 — CVSS 5.3 (medium): Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (EPS Server modules) allows Resource…