Talend Talend

  1. Vendors
  2. Talend

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Talend product.

RSS Feeds for Talend security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Talend products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Talend Sorted by Most Security Vulnerabilities since 2018

Talend Administration Center6 vulnerabilities

Talend Data Catalog5 vulnerabilities

Talend Esb Runtime3 vulnerabilities

Talend Jobserver1 vulnerability

Talend Open Studio1 vulnerability

Talend Open Studio For Mdm1 vulnerability

Talend Remote Engine Gen 21 vulnerability

Talend Studio1 vulnerability

By the Year

In 2026 there have been 3 vulnerabilities in Talend with an average score of 7.8 out of ten. Talend did not have any published security vulnerabilities last year. That is, 3 more vulnerabilities have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 3 7.80
2025 0 0.00
2024 0 0.00
2023 9 7.07
2022 4 5.85
2021 2 9.45

It may take a day or so for new Talend vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Talend Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-9057 May 20, 2026
Talend Admin Center Broken Access Control (CVE-2026-9057) A broken access control issue has been identified in the Talend Administration Center, that allows a user with View permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available.
Administration Center
CVE-2026-9056 May 20, 2026
Talend Adm Center Stored XSS via Server Manager (CVE-2026-9056) A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user.
Administration Center
CVE-2026-6264 Apr 14, 2026
Talend JobServer RCE via unauth JMX Monitoring Port A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.
Jobserver
Esb Runtime
CVE-2023-36301 Jun 26, 2023
Talend Data Catalog <8.0 Dir Traversal via HeaderImageServlet CVE-2023-36301 Talend Data Catalog before 8.0-20230221 contain a directory traversal vulnerability in HeaderImageServlet.
Data Catalog
CVE-2023-33247 May 26, 2023
Talend Data Catalog <8.0-20230413: Unauth WAR via /upgrade (CVE-2023-33247) Talend Data Catalog remote harvesting server before 8.0-20230413 contains a /upgrade endpoint that allows an unauthenticated WAR file to be deployed on the server. (A mitigation is that the remote harvesting server should be behind a firewall that only allows access to the Talend Data Catalog server.)
Data Catalog
CVE-2023-31444 Apr 28, 2023
Talend Studio <=7.3.1 & <=8.0.0 Unauth Jolokia RCE In Talend Studio before 7.3.1-R2022-10 and 8.x before 8.0.1-R2022-09, microservices allow unauthenticated access to the Jolokia endpoint of the microservice. This allows for remote access to the JVM via the Jolokia JMX-HTTP bridge.
Studio
CVE-2023-26263 Apr 13, 2023
Talend Data Catalog XXE at /MIMBWebServices/license (<=8.0-20230110) All versions of Talend Data Catalog before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server.
Data Catalog
CVE-2023-26264 Apr 13, 2023
Talend Data Catalog 8.0-20220907 XXE Vulnerability in License Parser All versions of Talend Data Catalog before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code.
Data Catalog
CVE-2022-45589 Feb 06, 2023
SQLi in Talend ESB Runtime provisioning service pre-8.0.1/7.3.1 All versions before 8.0.1-R2022-10-RT and 7.3.1-R2022-09-RT of the Talend ESB Runtime are potentially vulnerable to SQL Injection attacks in the provisioning service only. Users of the provisioning service should upgrade to either 8.0.1-R2022-10-RT or 7.3.1-R2022-09-RT or a later release and use it in place of the previous version.
Esb Runtime
CVE-2022-45588 Feb 03, 2023
Talend Remote Engine Gen 2 vulnerable to XXE in XML processing All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Users should download the R2022-09 release or later and use it in place of the previous version. Talend Remote Engine Gen 1 and Talend Cloud Engine for Design are not impacted. This XXE vulnerability could only be exploited by someone with the appropriate rights to edit pipelines on the Talend platform. It could not be triggered remotely or by other user input.
Remote Engine Gen 2
CVE-2022-30332 Jan 10, 2023
Talend Admin Center 7.3.1.20200219: Password Reset Enumeration via Errors In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with any account. This allows remote attackers to enumerate accounts via a series of requests.
Administration Center
CVE-2021-4311 Jan 09, 2023
XXE in Talend Open Studio for MDM XML Handler A vulnerability classified as problematic was found in Talend Open Studio for MDM. This vulnerability affects unknown code of the component XML Handler. The manipulation leads to xml external entity reference. The patch is identified as 31d442b9fb1d518128fd18f6e4d54e06c3d67793. It is recommended to apply a patch to fix this issue. VDB-217666 is the identifier assigned to this vulnerability.
Open Studio
CVE-2022-4818 Dec 28, 2022
Talend Open Studio MDM XXE via SystemStorageWrapper A vulnerability was found in Talend Open Studio for MDM. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file org.talend.mdm.core/src/com/amalto/core/storage/SystemStorageWrapper.java. The manipulation leads to xml external entity reference. Upgrading to version 20221220_1938 is able to address this issue. The name of the patch is 95590db2ad6a582c371273ceab1a73ad6ed47853. It is recommended to upgrade the affected component. The identifier VDB-216997 was assigned to this vulnerability.
Open Studio For Mdm
CVE-2022-31648 May 26, 2022
Talend Administration Center is vulnerable to a reflected Cross-Site Scripting (XSS) issue in the SSO login endpoint Talend Administration Center is vulnerable to a reflected Cross-Site Scripting (XSS) issue in the SSO login endpoint. The issue is fixed for versions 8.0.x in TPS-5233, for versions 7.3.x in TPS-5324, and for versions 7.2.x in TPS-5235. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.
Administration Center
CVE-2022-29942 May 04, 2022
Talend Administration Center has a vulnerability Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.
Administration Center
CVE-2022-29943 May 04, 2022
Talend Administration Center has a vulnerability Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.
Administration Center
CVE-2021-42837 Nov 05, 2021
An issue was discovered in Talend Data Catalog before 7.3-20210930 An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username with an arbitrary password, and login will succeed.
Data Catalog
CVE-2021-40684 Sep 22, 2021
Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in the container.
Esb Runtime
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.