Perforce Perforce

  1. Vendors
  2. Perforce

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Perforce product.

RSS Feeds for Perforce security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Perforce products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Perforce Sorted by Most Security Vulnerabilities since 2018

Perforce Helix Core8 vulnerabilities

Perforce Akana Api3 vulnerabilities

Perforce Helix Alm2 vulnerabilities

Perforce Helix Sync1 vulnerability

Perforce Jviews1 vulnerability

Perforce1 vulnerability

Perforce Puppet Bolt1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Perforce. Last year, in 2025 Perforce had 3 security vulnerabilities published. Right now, Perforce is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 3 0.00
2024 8 7.60
2023 4 8.08
2022 1 3.50
2021 2 5.10
2020 0 0.00
2019 0 0.00
2018 1 6.50

It may take a day or so for new Perforce vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Perforce Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-14591 Dec 20, 2025
CSV Parser EOR Misconfiguration Exposes PII In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked.
CVE-2025-13472 Dec 03, 2025
BlazeMeter Jenkins Plugin 4.27 Info Disclosure via Denied Permission Dropdown A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.
CVE-2025-10360 Sep 24, 2025
Puppet Enterprise 2025.4-2025.5: Sensitive Infra Assistant Key Exposed in Backup In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.
CVE-2024-10314 Nov 11, 2024
Helix Core <2024.2 Unauth RCE Auto-Gen DoS In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the auto-generation function was identified. Reported by Karol Wi?sek.
Helix Core
CVE-2024-10344 Nov 11, 2024
Helix Core DoS via Refuse Function In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the refuse function was identified. Reported by Karol Wi?sek.
Helix Core
CVE-2024-10345 Nov 11, 2024
Helix Core <2024.2 Unauth Remote DoS via Shutdown In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. Reported by Karol Wi?sek.
Helix Core
CVE-2024-8067 Sep 25, 2024
Helix Core Windows Unicode Injection via ANSI API (before 2024.1 Patch 2) In versions of Helix Core prior to 2024.1 Patch 2 (2024.1/2655224) a Windows ANSI API Unicode "best fit" argument injection was identified.
Helix Core
CVE-2024-3930 Jul 30, 2024
Akana API Platform XXE Vulnerability (Pre2024.1.0) In versions of Akana API Platform prior to 2024.1.0 a flaw resulting in XML External Entity (XXE) was discovered.
Akana Api
CVE-2024-5249 Jul 30, 2024
Akana API Platform 2024.1.0 - SAML Token Replay Before 2024.1.0 In versions of Akana API Platform prior to 2024.1.0, SAML tokens can be replayed.
Akana Api
CVE-2024-5250 Jul 30, 2024
Akana API Platform <2024.1.0: Info Leakage via Verbose SAML Errors In versions of Akana API Platform prior to 2024.1.0 overly verbose errors can be found in SAML integrations
Akana Api
CVE-2024-0325 Feb 01, 2024
Helix Sync <2024.1 Local Cmd Injection In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins.  
Helix Sync
CVE-2023-5759 Nov 08, 2023
Helix Core unauthenticated remote DoS via buffer (pre-2023.2) In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified. Reported by Jason Geffner.  
Helix Core
CVE-2023-45319 Nov 08, 2023
Helix Core <2023.2 Unauth Remote DoS via Commit In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the commit function was identified. Reported by Jason Geffner. 
Helix Core
CVE-2023-45849 Nov 08, 2023
Helix Core ACE PrivEsc before 2023.2 An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. Reported by Jason Geffner.
Helix Core
CVE-2023-35767 Nov 08, 2023
Helix Core <=2023.2 Unauth R3D DoS via Shutdown In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. Reported by Jason Geffner.  
Helix Core
CVE-2022-2394 Jul 19, 2022
Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise.
Puppet Bolt
CVE-2021-28973 Apr 13, 2021
The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks.
Helix Alm
CVE-2021-29997 Apr 13, 2021
An issue was discovered in Wind River VxWorks 7 before 21.03 An issue was discovered in Wind River VxWorks 7 before 21.03. A specially crafted packet may lead to buffer over-read on IKE.
Helix Alm
CVE-2018-1000147 Apr 05, 2018
An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with insufficient permission to obtain Perforce passwords configured in jobs to obtain them
Perforce
CVE-2015-8965 Apr 06, 2017
Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code Rogue Wave JViews before 8.8 patch 21 and 8.9 before patch 1 allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. The issue exists because the ilog.views.faces.IlvFacesController servlet in jviews-framework-all.jar does not require explicit configuration of servlets that can be called.
Jviews
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.