CVE-2023-48365 [Exploited]

Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. The fixed versions are August 2023 Patch 2, May 2023 Patch 6, February 2023 Patch 10, November 2022 Patch 12, August 2022 Patch 14, May 2022 Patch 16, February 2022 Patch 15, and November 2021 Patch 17. NOTE: this issue exists because of an incomplete fix for CVE-2023-41265.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	56.22%	24.68%	-31.54%
2	2026-06-08	51.73%	56.22%	+4.48%
3	2026-05-31	—	51.73%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

56.22%

24.68%

-31.54%

2026-06-08

51.73%

56.22%

+4.48%

2026-05-31

—

51.73%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.6	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	3.1	5.8	[email protected]
9.9	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.1	6.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.6

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

3.1

5.8

[email protected]

9.9

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.1

6.0

[email protected]

Affected software / configurations for CVE-2023-48365

Vendor	Product	Version	Raw CPE
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:-:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_1:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_10:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_11:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_12:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_13:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_2:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_3:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_4:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_5:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_6:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_7:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_8:::enterprise:windows::
qlik	qlik_sense	august_2022	cpe:2.3:a:qlik:qlik_sense:august_2022:patch_9:::enterprise:windows::
qlik	qlik_sense	august_2023	cpe:2.3:a:qlik:qlik_sense:august_2023:-:::enterprise:windows::
qlik	qlik_sense	august_2023	cpe:2.3:a:qlik:qlik_sense:august_2023:patch_1:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:-:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_1:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_10:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_11:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_12:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_13:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_14:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_2:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_3:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_4:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_5:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_6:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_7:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_8:::enterprise:windows::
qlik	qlik_sense	february_2022	cpe:2.3:a:qlik:qlik_sense:february_2022:patch_9:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:-:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_1:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_2:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_3:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_4:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_5:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_6:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_7:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_8:::enterprise:windows::
qlik	qlik_sense	february_2023	cpe:2.3:a:qlik:qlik_sense:february_2023:patch_9:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:-:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_1:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_10:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_11:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_12:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_13:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_14:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_15:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_2:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_3:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_4:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_5:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_6:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_7:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_8:::enterprise:windows::
qlik	qlik_sense	may_2022	cpe:2.3:a:qlik:qlik_sense:may_2022:patch_9:::enterprise:windows::
qlik	qlik_sense	may_2023	cpe:2.3:a:qlik:qlik_sense:may_2023:-:::enterprise:windows::
qlik	qlik_sense	may_2023	cpe:2.3:a:qlik:qlik_sense:may_2023:patch_1:::enterprise:windows::
qlik	qlik_sense	may_2023	cpe:2.3:a:qlik:qlik_sense:may_2023:patch_2:::enterprise:windows::
qlik	qlik_sense	may_2023	cpe:2.3:a:qlik:qlik_sense:may_2023:patch_3:::enterprise:windows::
qlik	qlik_sense	may_2023	cpe:2.3:a:qlik:qlik_sense:may_2023:patch_4:::enterprise:windows::
qlik	qlik_sense	may_2023	cpe:2.3:a:qlik:qlik_sense:may_2023:patch_5:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:-:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_1:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_10:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_11:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_12:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_13:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_14:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_15:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_16:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_2:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_3:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_4:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_5:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_6:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_7:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_8:::enterprise:windows::
qlik	qlik_sense	november_2021	cpe:2.3:a:qlik:qlik_sense:november_2021:patch_9:::enterprise:windows::

References for CVE-2023-48365

URL	Tags
https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/tac-p/2120510	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-48365	US Government Resource

URL

CVE-2023-48365

CISA KEV Record for CVE-2023-48365

Exploit prediction scoring system (EPSS) score for CVE-2023-48365

Common vulnerability scoring system (CVSS) metrics for CVE-2023-48365

Weakness enumeration for CVE-2023-48365

Affected software / configurations for CVE-2023-48365

References for CVE-2023-48365