Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
212 vulnerabilities found for splunk_cloud_platform by splunk
CVE-2026-20259 (GCVE-0-2026-20259)
Vulnerability from nvd – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:24
VLAI
Title
Improper Access Control in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.12
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 10.0.2503 , < 10.0.2503.14 (custom) Affected: 9.3.2411 , < 9.3.2411.131 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:24:17.180120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:24:37.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.12",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.14",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.131",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andres Perez, Splunk"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control."
}
],
"value": "In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:02.256Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0609"
}
],
"source": {
"advisory": "SVD-2026-0609"
},
"title": "Improper Access Control in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20259",
"datePublished": "2026-06-10T17:16:02.256Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:24:37.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20258 (GCVE-0-2026-20258)
Vulnerability from nvd – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:22
VLAI
Title
Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.11
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:22:19.768336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:22:27.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.11",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:23.870Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0608"
}
],
"source": {
"advisory": "SVD-2026-0608"
},
"title": "Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20258",
"datePublished": "2026-06-10T17:16:23.870Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:22:27.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20257 (GCVE-0-2026-20257)
Vulnerability from nvd – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:24
VLAI
Title
Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it.
The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:23:55.427272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:24:02.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong (tongster)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. \n\nThe exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. \n\nThe exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:03.885Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0607"
}
],
"source": {
"advisory": "SVD-2026-0607"
},
"title": "Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20257",
"datePublished": "2026-06-10T17:16:03.885Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:24:02.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20256 (GCVE-0-2026-20256)
Vulnerability from nvd – Published: 2026-06-10 17:15 – Updated: 2026-06-10 18:19
VLAI
Title
Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:18:59.939227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:19:26.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong (tongster)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.\u003cbr\u003e\u003cbr\u003eThe vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.\u003cbr\u003e\u003cbr\u003eThe vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:15:55.966Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0606"
}
],
"source": {
"advisory": "SVD-2026-0606"
},
"title": "Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20256",
"datePublished": "2026-06-10T17:15:55.966Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:19:26.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20255 (GCVE-0-2026-20255)
Vulnerability from nvd – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:25
VLAI
Title
Improper Input Validation through Classic Dashboards in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.
The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:25:06.072954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:25:12.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong (tongster)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. \n\nThe vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. \n\nThe vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:00.962Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0605"
}
],
"source": {
"advisory": "SVD-2026-0605"
},
"title": "Improper Input Validation through Classic Dashboards in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20255",
"datePublished": "2026-06-10T17:16:00.962Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:25:12.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20254 (GCVE-0-2026-20254)
Vulnerability from nvd – Published: 2026-06-10 17:15 – Updated: 2026-06-10 18:27
VLAI
Title
Information Disclosure through External Content Restriction Bypass in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:26:45.451095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:27:01.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Fredrik Alexandersson (stok)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.\u003cbr\u003e\u003cbr\u003eThe Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.\u003cbr\u003e\u003cbr\u003eThe Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:15:59.452Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0604"
}
],
"source": {
"advisory": "SVD-2026-0604"
},
"title": "Information Disclosure through External Content Restriction Bypass in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20254",
"datePublished": "2026-06-10T17:15:59.452Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:27:01.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20252 (GCVE-0-2026-20252)
Vulnerability from nvd – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:23
VLAI
Title
Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.
The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2604 , < 10.4.2604.3
(custom)
Affected: 10.3.2512 , < 10.3.2512.12 (custom) Affected: 10.2.2510 , < 10.2.2510.14 (custom) Affected: 10.1.2507 , < 10.1.2507.22 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:23:29.592434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:23:36.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.4.2604.3",
"status": "affected",
"version": "10.4.2604",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.12",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.14",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.22",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "M Mahdan Argya Syarif (0xbeludan)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. \n\nThe vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. \n\nThe vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:19.518Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0602"
}
],
"source": {
"advisory": "SVD-2026-0602"
},
"title": "Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20252",
"datePublished": "2026-06-10T17:16:19.518Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:23:36.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20251 (GCVE-0-2026-20251)
Vulnerability from nvd – Published: 2026-06-10 17:16 – Updated: 2026-06-11 03:55
VLAI
Title
Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.12
(custom)
Affected: 10.2.2510 , < 10.2.2510.14 (custom) Affected: 10.1.2507 , < 10.1.2507.22 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
|
| Splunk | Splunk Secure Gateway |
Affected:
3.10 , < 3.10.6
(custom)
Affected: 3.9 , < 3.9.20 (custom) Affected: 3.8 , < 3.8.67 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T03:55:39.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.12",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.14",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.22",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
},
{
"product": "Splunk Secure Gateway",
"vendor": "Splunk",
"versions": [
{
"lessThan": "3.10.6",
"status": "affected",
"version": "3.10",
"versionType": "custom"
},
{
"lessThan": "3.9.20",
"status": "affected",
"version": "3.9",
"versionType": "custom"
},
{
"lessThan": "3.8.67",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "M Mahdan Argya Syarif (0xbeludan)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.\u003cbr\u003e\u003cbr\u003eThe Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the \u2018jsonpickle\u2019 Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.\u003cbr\u003e\u003cbr\u003eThe Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the \u2018jsonpickle\u2019 Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:00.352Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0601"
}
],
"source": {
"advisory": "SVD-2026-0601"
},
"title": "Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20251",
"datePublished": "2026-06-10T17:16:00.352Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-11T03:55:39.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20240 (GCVE-0-2026-20240)
Vulnerability from nvd – Published: 2026-05-20 16:32 – Updated: 2026-05-20 17:47
VLAI
Title
Denial of Service through coldToFrozen.sh Script in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.<br><br>The Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.11 (custom) Affected: 9.3 , < 9.3.12 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < 10.4.2603.1
(custom)
Affected: 10.3.2512 , < 10.3.2512.9 (custom) Affected: 10.2.2510 , < 10.2.2510.11 (custom) Affected: 10.1.2507 , < 10.1.2507.21 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.129 (custom) |
Date Public
2026-05-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T17:47:29.920729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:47:46.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.11",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.12",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.4.2603.1",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.9",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.11",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.21",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.129",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alex Hordijk (hordalex)"
}
],
"datePublic": "2026-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the \u2018admin\u2019 or \u2018power\u2019 Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.\u003cbr\u003e\u003cbr\u003eThe Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories."
}
],
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the \u2018admin\u2019 or \u2018power\u2019 Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.\u003cbr\u003e\u003cbr\u003eThe Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:32:05.687Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0504"
}
],
"source": {
"advisory": "SVD-2026-0504"
},
"title": "Denial of Service through coldToFrozen.sh Script in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20240",
"datePublished": "2026-05-20T16:32:05.687Z",
"dateReserved": "2025-10-08T11:59:15.400Z",
"dateUpdated": "2026-05-20T17:47:46.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20239 (GCVE-0-2026-20239)
Vulnerability from nvd – Published: 2026-05-20 16:32 – Updated: 2026-05-21 03:55
VLAI
Title
Sensitive Information Disclosure through Log Files in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.8
(custom)
Affected: 10.2.2510 , < 10.2.2510.11 (custom) Affected: 10.1.2507 , < 10.1.2507.21 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) |
Date Public
2026-05-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T03:55:38.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.8",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.11",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.21",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Charlie Huggard, Splunk"
}
],
"datePublic": "2026-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data."
}
],
"value": "In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:32:12.678Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0503"
}
],
"source": {
"advisory": "SVD-2026-0503"
},
"title": "Sensitive Information Disclosure through Log Files in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20239",
"datePublished": "2026-05-20T16:32:12.678Z",
"dateReserved": "2025-10-08T11:59:15.400Z",
"dateUpdated": "2026-05-21T03:55:38.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20204 (GCVE-0-2026-20204)
Vulnerability from nvd – Published: 2026-04-15 15:17 – Updated: 2026-04-16 03:55
VLAI
Title
Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-377 - Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.1
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.10 (custom) Affected: 9.3 , < 9.3.11 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < Not Affected
(custom)
Affected: 10.3.2512 , < 10.3.2512.5 (custom) Affected: 10.2.2510 , < 10.2.2510.9 (custom) Affected: 10.1.2507 , < 10.1.2507.19 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.127 (custom) |
Date Public
2026-04-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T03:55:29.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.10",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "Not Affected",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.5",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.9",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.19",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.127",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Gabriel Nitu, Splunk"
}
],
"datePublic": "2026-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory."
}
],
"value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:17:54.019Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0403"
}
],
"source": {
"advisory": "SVD-2026-0403"
},
"title": "Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20204",
"datePublished": "2026-04-15T15:17:54.019Z",
"dateReserved": "2025-10-08T11:59:15.397Z",
"dateUpdated": "2026-04-16T03:55:29.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20203 (GCVE-0-2026-20203)
Vulnerability from nvd – Published: 2026-04-15 15:17 – Updated: 2026-04-15 17:40
VLAI
Title
Improper Access Control in Data Model Acceleration in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.10 (custom) Affected: 9.3 , < 9.3.11 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < Not Affected
(custom)
Affected: 10.3.2512 , < 10.3.2512.6 (custom) Affected: 10.2.2510 , < 10.2.2510.10 (custom) Affected: 10.1.2507 , < 10.1.2507.19 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.127 (custom) |
Date Public
2026-04-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T17:40:22.461732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T17:40:36.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.10",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "Not Affected",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.6",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.10",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.19",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.127",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mr Hack (try_to_hack) Santiago Lopez"
}
],
"datePublic": "2026-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control."
}
],
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:17:56.261Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0402"
}
],
"source": {
"advisory": "SVD-2026-0402"
},
"title": "Improper Access Control in Data Model Acceleration in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20203",
"datePublished": "2026-04-15T15:17:56.261Z",
"dateReserved": "2025-10-08T11:59:15.397Z",
"dateUpdated": "2026-04-15T17:40:36.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20202 (GCVE-0-2026-20202)
Vulnerability from nvd – Published: 2026-04-15 15:17 – Updated: 2026-04-16 03:55
VLAI
Title
Improper Input Validation during User Account Creation in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-176 - The software does not properly handle when an input contains Unicode encoding.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.10 (custom) Affected: 9.3 , < 9.3.11 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < Not Affected
(custom)
Affected: 10.3.2512 , < 10.3.2512.6 (custom) Affected: 10.2.2510 , < 10.2.2510.10 (custom) Affected: 10.1.2507 , < 10.1.2507.20 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.127 (custom) |
Date Public
2026-04-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T03:55:28.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.10",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "Not Affected",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.6",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.10",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.20",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.127",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ryan Luke\u003cbr\u003e\u003cbr\u003eMahfujur Rahman (mahfujwhh)"
}
],
"datePublic": "2026-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.\u003cbr\u003e\u003cbr\u003eThis could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users."
}
],
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.\u003cbr\u003e\u003cbr\u003eThis could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "The software does not properly handle when an input contains Unicode encoding.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:17:43.871Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0401"
}
],
"source": {
"advisory": "SVD-2026-0401"
},
"title": "Improper Input Validation during User Account Creation in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20202",
"datePublished": "2026-04-15T15:17:43.871Z",
"dateReserved": "2025-10-08T11:59:15.397Z",
"dateUpdated": "2026-04-16T03:55:28.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20166 (GCVE-0-2026-20166)
Vulnerability from nvd – Published: 2026-03-11 16:18 – Updated: 2026-03-12 16:19
VLAI
Title
Sensitive Information Disclosure in Discover Splunk Observability Cloud app for Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control.
This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.1
(custom)
Affected: 10.0 , < 10.0.4 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.2.2510 , < 10.2.2510.5
(custom)
Affected: 10.1.2507 , < 10.1.2507.16 (custom) Affected: 10.0.2503 , < 10.0.2503.12 (custom) |
Date Public
2026-03-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T15:40:11.819588Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T16:19:30.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.4",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2510.5",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.16",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.12",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Will Zgoda, Splunk"
}
],
"datePublic": "2026-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. \n\nThis vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise."
}
],
"value": "In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. \n\nThis vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:18:17.121Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0305"
}
],
"source": {
"advisory": "SVD-2026-0305"
},
"title": "Sensitive Information Disclosure in Discover Splunk Observability Cloud app for Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20166",
"datePublished": "2026-03-11T16:18:17.121Z",
"dateReserved": "2025-10-08T11:59:15.390Z",
"dateUpdated": "2026-03-12T16:19:30.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20164 (GCVE-0-2026-20164)
Vulnerability from nvd – Published: 2026-03-11 16:18 – Updated: 2026-03-12 16:19
VLAI
Title
Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.3
(custom)
Affected: 9.4 , < 9.4.9 (custom) Affected: 9.3 , < 9.3.10 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.2.2510 , < 10.2.2510.5
(custom)
Affected: 10.1.2507 , < 10.1.2507.16 (custom) Affected: 10.0.2503 , < 10.0.2503.11 (custom) Affected: 9.3.2411 , < 9.3.2411.123 (custom) |
Date Public
2026-03-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T15:40:30.867807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T16:19:36.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.3",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.9",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.10",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2510.5",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.16",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.11",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.123",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alex Hordijk (hordalex)"
}
],
"datePublic": "2026-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials."
}
],
"value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:18:01.915Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0303"
}
],
"source": {
"advisory": "SVD-2026-0303"
},
"title": "Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20164",
"datePublished": "2026-03-11T16:18:01.915Z",
"dateReserved": "2025-10-08T11:59:15.389Z",
"dateUpdated": "2026-03-12T16:19:36.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20163 (GCVE-0-2026-20163)
Vulnerability from nvd – Published: 2026-03-11 16:18 – Updated: 2026-03-12 13:23
VLAI
Title
Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.4
(custom)
Affected: 9.4 , < 9.4.9 (custom) Affected: 9.3 , < 9.3.10 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.2.2510 , < 10.2.2510.5
(custom)
Affected: 10.0.2503 , < 10.0.2503.12 (custom) Affected: 10.1.2507 , < 10.1.2507.16 (custom) Affected: 9.3.2411 , < 9.3.2411.124 (custom) |
Date Public
2026-03-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T03:55:43.201014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T13:23:31.857Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.4",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.9",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.10",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2510.5",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.12",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.16",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.124",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA) \u003cbr\u003e\u003cbr\u003eGabriel Nitu, Splunk\u003cbr\u003e\u003cbr\u003eJames Ervin, Splunk"
}
],
"datePublic": "2026-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint."
}
],
"value": "In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:18:26.857Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0302"
}
],
"source": {
"advisory": "SVD-2026-0302"
},
"title": "Remote Command Execution (RCE) through the \u0027/splunkd/__upload/indexing/preview\u0027 REST endpoint in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20163",
"datePublished": "2026-03-11T16:18:26.857Z",
"dateReserved": "2025-10-08T11:59:15.389Z",
"dateUpdated": "2026-03-12T13:23:31.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20162 (GCVE-0-2026-20162)
Vulnerability from nvd – Published: 2026-03-11 16:18 – Updated: 2026-03-12 16:19
VLAI
Title
Stored Cross-Site Scripting (XSS) through Path Traversal in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.0 , < 10.0.3
(custom)
Affected: 9.4 , < 9.4.9 (custom) Affected: 9.3 , < 9.3.9 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.2.2510 , < 10.2.2510.4
(custom)
Affected: 10.1.2507 , < 10.1.2507.15 (custom) Affected: 10.0.2503 , < 10.0.2503.11 (custom) Affected: 9.3.2411 , < 9.3.2411.123 (custom) |
Date Public
2026-03-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T15:39:42.697422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T16:19:25.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.0.3",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.9",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.9",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2510.4",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.15",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.11",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.123",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Danylo Dmytriiev (DDV_UA)"
}
],
"datePublic": "2026-03-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:18:22.880Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0301"
}
],
"source": {
"advisory": "SVD-2026-0301"
},
"title": "Stored Cross-Site Scripting (XSS) through Path Traversal in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20162",
"datePublished": "2026-03-11T16:18:22.880Z",
"dateReserved": "2025-10-08T11:59:15.388Z",
"dateUpdated": "2026-03-12T16:19:25.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20258 (GCVE-0-2026-20258)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:22
VLAI
Title
Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.11
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:22:19.768336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:22:27.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.11",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:23.870Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0608"
}
],
"source": {
"advisory": "SVD-2026-0608"
},
"title": "Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20258",
"datePublished": "2026-06-10T17:16:23.870Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:22:27.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20252 (GCVE-0-2026-20252)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:23
VLAI
Title
Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.
The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2604 , < 10.4.2604.3
(custom)
Affected: 10.3.2512 , < 10.3.2512.12 (custom) Affected: 10.2.2510 , < 10.2.2510.14 (custom) Affected: 10.1.2507 , < 10.1.2507.22 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:23:29.592434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:23:36.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.4.2604.3",
"status": "affected",
"version": "10.4.2604",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.12",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.14",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.22",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "M Mahdan Argya Syarif (0xbeludan)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. \n\nThe vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. \n\nThe vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:19.518Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0602"
}
],
"source": {
"advisory": "SVD-2026-0602"
},
"title": "Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20252",
"datePublished": "2026-06-10T17:16:19.518Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:23:36.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20257 (GCVE-0-2026-20257)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:24
VLAI
Title
Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it.
The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:23:55.427272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:24:02.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong (tongster)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. \n\nThe exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. \n\nThe exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:03.885Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0607"
}
],
"source": {
"advisory": "SVD-2026-0607"
},
"title": "Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20257",
"datePublished": "2026-06-10T17:16:03.885Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:24:02.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20259 (GCVE-0-2026-20259)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:24
VLAI
Title
Improper Access Control in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.12
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 10.0.2503 , < 10.0.2503.14 (custom) Affected: 9.3.2411 , < 9.3.2411.131 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:24:17.180120Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:24:37.870Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.12",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.14",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.131",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andres Perez, Splunk"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control."
}
],
"value": "In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:02.256Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0609"
}
],
"source": {
"advisory": "SVD-2026-0609"
},
"title": "Improper Access Control in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20259",
"datePublished": "2026-06-10T17:16:02.256Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:24:37.870Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20255 (GCVE-0-2026-20255)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:25
VLAI
Title
Improper Input Validation through Classic Dashboards in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.
The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:25:06.072954Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:25:12.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong (tongster)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. \n\nThe vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. \n\nThe vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:00.962Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0605"
}
],
"source": {
"advisory": "SVD-2026-0605"
},
"title": "Improper Input Validation through Classic Dashboards in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20255",
"datePublished": "2026-06-10T17:16:00.962Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:25:12.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20251 (GCVE-0-2026-20251)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-11 03:55
VLAI
Title
Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.12
(custom)
Affected: 10.2.2510 , < 10.2.2510.14 (custom) Affected: 10.1.2507 , < 10.1.2507.22 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
|
| Splunk | Splunk Secure Gateway |
Affected:
3.10 , < 3.10.6
(custom)
Affected: 3.9 , < 3.9.20 (custom) Affected: 3.8 , < 3.8.67 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T03:55:39.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.12",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.14",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.22",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
},
{
"product": "Splunk Secure Gateway",
"vendor": "Splunk",
"versions": [
{
"lessThan": "3.10.6",
"status": "affected",
"version": "3.10",
"versionType": "custom"
},
{
"lessThan": "3.9.20",
"status": "affected",
"version": "3.9",
"versionType": "custom"
},
{
"lessThan": "3.8.67",
"status": "affected",
"version": "3.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "M Mahdan Argya Syarif (0xbeludan)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.\u003cbr\u003e\u003cbr\u003eThe Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the \u2018jsonpickle\u2019 Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.\u003cbr\u003e\u003cbr\u003eThe Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the \u2018jsonpickle\u2019 Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:16:00.352Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0601"
}
],
"source": {
"advisory": "SVD-2026-0601"
},
"title": "Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20251",
"datePublished": "2026-06-10T17:16:00.352Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-11T03:55:39.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20254 (GCVE-0-2026-20254)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:15 – Updated: 2026-06-10 18:27
VLAI
Title
Information Disclosure through External Content Restriction Bypass in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:26:45.451095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:27:01.123Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Fredrik Alexandersson (stok)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.\u003cbr\u003e\u003cbr\u003eThe Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.\u003cbr\u003e\u003cbr\u003eThe Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:15:59.452Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0604"
}
],
"source": {
"advisory": "SVD-2026-0604"
},
"title": "Information Disclosure through External Content Restriction Bypass in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20254",
"datePublished": "2026-06-10T17:15:59.452Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:27:01.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20256 (GCVE-0-2026-20256)
Vulnerability from cvelistv5 – Published: 2026-06-10 17:15 – Updated: 2026-06-10 18:19
VLAI
Title
Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.
Severity
5.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.4
(custom)
Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.13
(custom)
Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom) |
Date Public
2026-06-10 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T18:18:59.939227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T18:19:26.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.7",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.12",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.13",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.13",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.15",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.23",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.132",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Tong (tongster)"
}
],
"datePublic": "2026-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.\u003cbr\u003e\u003cbr\u003eThe vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim."
}
],
"value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.\u003cbr\u003e\u003cbr\u003eThe vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T17:15:55.966Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0606"
}
],
"source": {
"advisory": "SVD-2026-0606"
},
"title": "Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20256",
"datePublished": "2026-06-10T17:15:55.966Z",
"dateReserved": "2025-10-08T11:59:15.401Z",
"dateUpdated": "2026-06-10T18:19:26.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20239 (GCVE-0-2026-20239)
Vulnerability from cvelistv5 – Published: 2026-05-20 16:32 – Updated: 2026-05-21 03:55
VLAI
Title
Sensitive Information Disclosure through Log Files in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.3.2512 , < 10.3.2512.8
(custom)
Affected: 10.2.2510 , < 10.2.2510.11 (custom) Affected: 10.1.2507 , < 10.1.2507.21 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) |
Date Public
2026-05-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20239",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T03:55:38.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.3.2512.8",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.11",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.21",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Charlie Huggard, Splunk"
}
],
"datePublic": "2026-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data."
}
],
"value": "In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:32:12.678Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0503"
}
],
"source": {
"advisory": "SVD-2026-0503"
},
"title": "Sensitive Information Disclosure through Log Files in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20239",
"datePublished": "2026-05-20T16:32:12.678Z",
"dateReserved": "2025-10-08T11:59:15.400Z",
"dateUpdated": "2026-05-21T03:55:38.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20240 (GCVE-0-2026-20240)
Vulnerability from cvelistv5 – Published: 2026-05-20 16:32 – Updated: 2026-05-20 17:47
VLAI
Title
Denial of Service through coldToFrozen.sh Script in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.<br><br>The Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.11 (custom) Affected: 9.3 , < 9.3.12 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < 10.4.2603.1
(custom)
Affected: 10.3.2512 , < 10.3.2512.9 (custom) Affected: 10.2.2510 , < 10.2.2510.11 (custom) Affected: 10.1.2507 , < 10.1.2507.21 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.129 (custom) |
Date Public
2026-05-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T17:47:29.920729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:47:46.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.11",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.12",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.4.2603.1",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.9",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.11",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.21",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.129",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Alex Hordijk (hordalex)"
}
],
"datePublic": "2026-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the \u2018admin\u2019 or \u2018power\u2019 Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.\u003cbr\u003e\u003cbr\u003eThe Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories."
}
],
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the \u2018admin\u2019 or \u2018power\u2019 Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.\u003cbr\u003e\u003cbr\u003eThe Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T16:32:05.687Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0504"
}
],
"source": {
"advisory": "SVD-2026-0504"
},
"title": "Denial of Service through coldToFrozen.sh Script in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20240",
"datePublished": "2026-05-20T16:32:05.687Z",
"dateReserved": "2025-10-08T11:59:15.400Z",
"dateUpdated": "2026-05-20T17:47:46.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20203 (GCVE-0-2026-20203)
Vulnerability from cvelistv5 – Published: 2026-04-15 15:17 – Updated: 2026-04-15 17:40
VLAI
Title
Improper Access Control in Data Model Acceleration in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.10 (custom) Affected: 9.3 , < 9.3.11 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < Not Affected
(custom)
Affected: 10.3.2512 , < 10.3.2512.6 (custom) Affected: 10.2.2510 , < 10.2.2510.10 (custom) Affected: 10.1.2507 , < 10.1.2507.19 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.127 (custom) |
Date Public
2026-04-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T17:40:22.461732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T17:40:36.484Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.10",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "Not Affected",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.6",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.10",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.19",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.127",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mr Hack (try_to_hack) Santiago Lopez"
}
],
"datePublic": "2026-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control."
}
],
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:17:56.261Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0402"
}
],
"source": {
"advisory": "SVD-2026-0402"
},
"title": "Improper Access Control in Data Model Acceleration in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20203",
"datePublished": "2026-04-15T15:17:56.261Z",
"dateReserved": "2025-10-08T11:59:15.397Z",
"dateUpdated": "2026-04-15T17:40:36.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20204 (GCVE-0-2026-20204)
Vulnerability from cvelistv5 – Published: 2026-04-15 15:17 – Updated: 2026-04-16 03:55
VLAI
Title
Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-377 - Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.1
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.10 (custom) Affected: 9.3 , < 9.3.11 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < Not Affected
(custom)
Affected: 10.3.2512 , < 10.3.2512.5 (custom) Affected: 10.2.2510 , < 10.2.2510.9 (custom) Affected: 10.1.2507 , < 10.1.2507.19 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.127 (custom) |
Date Public
2026-04-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T03:55:29.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.1",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.10",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "Not Affected",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.5",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.9",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.19",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.127",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Gabriel Nitu, Splunk"
}
],
"datePublic": "2026-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory."
}
],
"value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "Creating and using insecure temporary files can leave application and system data vulnerable to attack.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:17:54.019Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0403"
}
],
"source": {
"advisory": "SVD-2026-0403"
},
"title": "Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20204",
"datePublished": "2026-04-15T15:17:54.019Z",
"dateReserved": "2025-10-08T11:59:15.397Z",
"dateUpdated": "2026-04-16T03:55:29.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20202 (GCVE-0-2026-20202)
Vulnerability from cvelistv5 – Published: 2026-04-15 15:17 – Updated: 2026-04-16 03:55
VLAI
Title
Improper Input Validation during User Account Creation in Splunk Enterprise
Summary
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-176 - The software does not properly handle when an input contains Unicode encoding.
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Splunk | Splunk Enterprise |
Affected:
10.2 , < 10.2.2
(custom)
Affected: 10.0 , < 10.0.5 (custom) Affected: 9.4 , < 9.4.10 (custom) Affected: 9.3 , < 9.3.11 (custom) |
|
| Splunk | Splunk Cloud Platform |
Affected:
10.4.2603 , < Not Affected
(custom)
Affected: 10.3.2512 , < 10.3.2512.6 (custom) Affected: 10.2.2510 , < 10.2.2510.10 (custom) Affected: 10.1.2507 , < 10.1.2507.20 (custom) Affected: 10.0.2503 , < 10.0.2503.13 (custom) Affected: 9.3.2411 , < 9.3.2411.127 (custom) |
Date Public
2026-04-15 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T03:55:28.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Splunk Enterprise",
"vendor": "Splunk",
"versions": [
{
"lessThan": "10.2.2",
"status": "affected",
"version": "10.2",
"versionType": "custom"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0",
"versionType": "custom"
},
{
"lessThan": "9.4.10",
"status": "affected",
"version": "9.4",
"versionType": "custom"
},
{
"lessThan": "9.3.11",
"status": "affected",
"version": "9.3",
"versionType": "custom"
}
]
},
{
"product": "Splunk Cloud Platform",
"vendor": "Splunk",
"versions": [
{
"lessThan": "Not Affected",
"status": "affected",
"version": "10.4.2603",
"versionType": "custom"
},
{
"lessThan": "10.3.2512.6",
"status": "affected",
"version": "10.3.2512",
"versionType": "custom"
},
{
"lessThan": "10.2.2510.10",
"status": "affected",
"version": "10.2.2510",
"versionType": "custom"
},
{
"lessThan": "10.1.2507.20",
"status": "affected",
"version": "10.1.2507",
"versionType": "custom"
},
{
"lessThan": "10.0.2503.13",
"status": "affected",
"version": "10.0.2503",
"versionType": "custom"
},
{
"lessThan": "9.3.2411.127",
"status": "affected",
"version": "9.3.2411",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ryan Luke\u003cbr\u003e\u003cbr\u003eMahfujur Rahman (mahfujwhh)"
}
],
"datePublic": "2026-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.\u003cbr\u003e\u003cbr\u003eThis could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users."
}
],
"value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.\u003cbr\u003e\u003cbr\u003eThis could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-176",
"description": "The software does not properly handle when an input contains Unicode encoding.",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:17:43.871Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"url": "https://advisory.splunk.com/advisories/SVD-2026-0401"
}
],
"source": {
"advisory": "SVD-2026-0401"
},
"title": "Improper Input Validation during User Account Creation in Splunk Enterprise"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20202",
"datePublished": "2026-04-15T15:17:43.871Z",
"dateReserved": "2025-10-08T11:59:15.397Z",
"dateUpdated": "2026-04-16T03:55:28.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}