CVE-2025-26497
BaseFortify
Publication date: 2025-08-22
Last updated on: 2025-11-06
Assigner: Salesforce, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | From 5.15.160 (inc) to 5.16 (inc) |
| tableau | tableau_server | to 2023.3.19 (exc) |
| tableau | tableau_server | From 2024.2 (inc) to 2024.2.12 (exc) |
| tableau | tableau_server | From 2025.1 (inc) to 2025.1.3 (exc) |
| microsoft | windows | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Unrestricted Upload of File with Dangerous Type in Salesforce Tableau Server on Windows and Linux, specifically in the Flow Editor modules. It allows an attacker to perform Absolute Path Traversal, meaning they can upload files to arbitrary locations on the server's file system, potentially leading to unauthorized access or modification of files.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload malicious files to arbitrary locations on the server, which can lead to unauthorized access, data modification, or execution of malicious code. This can compromise the integrity and security of the Tableau Server environment.