CVE-2025-26497: 
Tableau Server vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-26497) was discovered in Salesforce Tableau Server affecting Windows and Linux platforms, specifically in the Flow Editor modules. The vulnerability was disclosed on August 22, 2025, and involves an Unrestricted Upload of File with Dangerous Type that allows Absolute Path Traversal. The affected versions include Tableau Server installations before 2025.1.3, before 2024.2.12, and before 2023.3.19 (NVD, AttackerKB).

The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is characterized by unrestricted file upload capabilities combined with path traversal weaknesses, specifically in the Flow Editor module. The attack vector is network-accessible, requires low attack complexity, and needs no privileges or user interaction for exploitation (NVD).

The vulnerability can lead to unauthorized file uploads and absolute path traversal, potentially allowing attackers to write files to arbitrary locations on the server filesystem. This could result in compromised confidentiality, integrity, and availability of the affected systems (Security Online).

Salesforce has released patches to address this vulnerability. Organizations are strongly advised to upgrade to the following versions: Tableau Server 2025.1.3 or later, 2024.2.12 or later, or 2023.3.19 or later. The fixes were included in the July 22, 2025 maintenance release (GBHackers).