CVE-2025-3115

CRITICAL

TIBCO Spotfire Enterprise Runtime for R < 6.1.5 - Code Injection and Arbitrary File Upload

Title source: llm

Description

Injection Vulnerabilities: Attackers can inject malicious code, potentially gaining control over the system executing these functions. Additionally, insufficient validation of filenames during file uploads can enable attackers to upload and execute malicious files, leading to arbitrary code execution

References (1)

Core 1

Core References

Various Sources

https://community.spotfire.com/articles/spotfire/spotfire-security-advisory-april-08-2025-spotfire-cve-2025-3115-r3485/

Scores

CVSS v3 9.8

EPSS 0.0044

EPSS Percentile 63.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (27)

tibco/spotfire_analyst 14.1.0

tibco/spotfire_analyst 14.2.0

tibco/spotfire_analyst 14.3.0

tibco/spotfire_analyst 14.4.0

tibco/spotfire_analyst 14.4.1

tibco/spotfire_analyst < 14.0.6

tibco/spotfire_analytics_platform < 14.4.2

tibco/spotfire_deployment_kit 14.1.0

tibco/spotfire_deployment_kit 14.2.0

tibco/spotfire_deployment_kit 14.3.0

... and 17 more

Published Apr 09, 2025

Tracked Since Feb 18, 2026