Qlik Qlik

  1. Vendors
  2. Qlik

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Qlik product.

RSS Feeds for Qlik security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Qlik products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Qlik Sorted by Most Security Vulnerabilities since 2018

Qlik Sense6 vulnerabilities

Qlikview3 vulnerabilities

Qlik Nprinting Designer1 vulnerability

Qlik Analytics1 vulnerability

Qlikview Server1 vulnerability

Known Exploited Qlik Vulnerabilities

The following Qlik vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Qlik Sense HTTP Tunneling Vulnerability Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
CVE-2023-48365 Exploit Probability: 64.2% 		January 13, 2025
Qlik Sense Path Traversal Vulnerability Qlik Sense contains a path traversal vulnerability that allows a remote, unauthenticated attacker to create an anonymous session by sending maliciously crafted HTTP requests. This anonymous session could allow the attacker to send further requests to unauthorized endpoints.
CVE-2023-41266 Exploit Probability: 94.3% 		December 7, 2023
Qlik Sense HTTP Tunneling Vulnerability Qlik Sense contains an HTTP tunneling vulnerability that allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
CVE-2023-41265 Exploit Probability: 92.5% 		December 7, 2023

Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2023-48365: Qlik Sense HTTP Tunneling Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 1 vulnerability in Qlik with an average score of 6.2 out of ten. Qlik did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 1 6.20
2025 0 0.00
2024 0 0.00
2023 6 8.07
2022 2 5.30
2021 0 0.00
2020 0 0.00
2019 1 6.50

It may take a day or so for new Qlik vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Qlik Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2020-36994 Jan 29, 2026
QlikView 12.50 DoS via FTP Server Addr Input Buffer Overflow QlikView 12.50.20000.0 contains a denial of service vulnerability in the FTP server address input field that allows local attackers to crash the application. Attackers can paste a 300-character buffer into the FTP server address field to trigger an application crash and prevent normal functionality.
Qlikview
CVE-2023-48365 Nov 15, 2023
Qlik Sense Ent. (Win) RCE via HTTP Header Validation (unauthentic) Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.
Qlik Sense
CVE-2023-41266 Aug 29, 2023
Qlik Sense Enterprise Path Traversal, Authless Session (CVE-2023-41266) A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Qlik Sense
CVE-2023-41265 Aug 29, 2023
HTTP Request Tunneling in Qlik Sense Enterprise for Windows An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
Qlik Sense
CVE-2022-42248 Mar 06, 2023
Stored XSS in QlikView 12.60.2 QvsViewClient QlikView 12.60.2 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the QvsViewClient functionality.
Qlikview
CVE-2021-41989 Jan 26, 2023
QlikView <=12.60.20100.0 Temporary File Insecure Permissions Qlik QlikView through 12.60.20100.0 creates a Temporary File in a Directory with Insecure Permissions.
Qlikview
CVE-2021-41988 Jan 26, 2023
Qlik NPrinting Designer pre-21.14.3.0 insecure temp file Qlik NPrinting Designer through 21.14.3.0 creates a Temporary File in a Directory with Insecure Permissions.
Nprinting Designer
CVE-2021-36761 Jun 21, 2022
The GeoAnalytics feature in Qlik Sense April 2020 patch 4 The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.
Qlik Sense
CVE-2022-0564 Feb 21, 2022
A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured. The affected URI is /internal_forms_authentication/ the response time of the form is longer if the supplied user does not exists and shorter if the user exists.
Qlik Sense
CVE-2019-11628 May 01, 2019
An issue was discovered in QlikView Server before 11.20 SR19, 12.00 and 12.10 before 12.10 SR11, 12.20 before SR9, and 12.30 before SR2; and Qlik Sense Enterprise and Qlik Analytics Platform installations An issue was discovered in QlikView Server before 11.20 SR19, 12.00 and 12.10 before 12.10 SR11, 12.20 before SR9, and 12.30 before SR2; and Qlik Sense Enterprise and Qlik Analytics Platform installations that lack these patch levels: February 2018 Patch 4, April 2018 Patch 3, June 2018 Patch 3, September 2018 Patch 4, November 2018 Patch 4, or February 2019 Patch 2. An authenticated user may be able to bypass intended file-read restrictions via crafted Browser requests.
Qlikview Server
Qlik Analytics
Qlik Sense
And others...
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.