Vulnerability-Lookup

WID-SEC-W-2026-1877

Vulnerability from csaf_certbund - Published: 2026-06-10 22:00 - Updated: 2026-06-14 22:00

Summary

Splunk Enterprise: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Splunk Enterprise ermöglicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Splunk Enterprise ausnutzen, um beliebigen Code auszuführen, Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, Sicherheitsmaßnahmen zu umgehen oder vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-20251

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20252

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20254

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20255

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20256

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20257

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20258

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20259

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4
Splunk Splunk Enterprise <10.4.0 Splunk / Splunk Enterprise		<10.4.0

CVE-2026-20253

Affected products

Known affected 4 products

Product	Identifier	Version	Remediation
Splunk Splunk Enterprise <9.3.13 Splunk / Splunk Enterprise		<9.3.13
Splunk Splunk Enterprise <9.4.12 Splunk / Splunk Enterprise		<9.4.12
Splunk Splunk Enterprise <10.0.7 Splunk / Splunk Enterprise		<10.0.7
Splunk Splunk Enterprise <10.2.4 Splunk / Splunk Enterprise		<10.2.4

References

12 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://advisory.splunk.com/advisories/SVD-2026-0601	external
https://advisory.splunk.com/advisories/SVD-2026-0602	external
https://advisory.splunk.com/advisories/SVD-2026-0603	external
https://advisory.splunk.com/advisories/SVD-2026-0604	external
https://advisory.splunk.com/advisories/SVD-2026-0605	external
https://advisory.splunk.com/advisories/SVD-2026-0606	external
https://advisory.splunk.com/advisories/SVD-2026-0607	external
https://advisory.splunk.com/advisories/SVD-2026-0608	external
https://advisory.splunk.com/advisories/SVD-2026-0609	external
https://labs.watchtowr.com/why-use-app-level-auth…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Splunk Enterprise erm\u00f6glicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Splunk Enterprise ausnutzen, um beliebigen Code auszuf\u00fchren, Cross-Site-Scripting-Angriffe durchzuf\u00fchren, Daten zu manipulieren, Sicherheitsma\u00dfnahmen zu umgehen oder vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1877 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1877.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1877 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1877"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0601"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0602"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0603"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0604"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0605"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0606"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0607"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0608"
      },
      {
        "category": "external",
        "summary": "Splunk Security Advisory vom 2026-06-10",
        "url": "https://advisory.splunk.com/advisories/SVD-2026-0609"
      },
      {
        "category": "external",
        "summary": "WatchTower Labs Report on CVE-2026-20253 vom 2026-06-14",
        "url": "https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/"
      }
    ],
    "source_lang": "en-US",
    "title": "Splunk Enterprise: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-14T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-15T09:40:08.351+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1877",
      "initial_release_date": "2026-06-10T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-06-10T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-06-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "PoC f\u00fcr CVE-2026-20253 aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c10.4.0",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c10.4.0",
                  "product_id": "T055213"
                }
              },
              {
                "category": "product_version",
                "name": "10.4.0",
                "product": {
                  "name": "Splunk Splunk Enterprise 10.4.0",
                  "product_id": "T055213-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:10.4.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.2.4",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c10.2.4",
                  "product_id": "T055214"
                }
              },
              {
                "category": "product_version",
                "name": "10.2.4",
                "product": {
                  "name": "Splunk Splunk Enterprise 10.2.4",
                  "product_id": "T055214-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:10.2.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.0.7",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c10.0.7",
                  "product_id": "T055215"
                }
              },
              {
                "category": "product_version",
                "name": "10.0.7",
                "product": {
                  "name": "Splunk Splunk Enterprise 10.0.7",
                  "product_id": "T055215-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:10.0.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.4.12",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.4.12",
                  "product_id": "T055216"
                }
              },
              {
                "category": "product_version",
                "name": "9.4.12",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.4.12",
                  "product_id": "T055216-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.4.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.3.13",
                "product": {
                  "name": "Splunk Splunk Enterprise \u003c9.3.13",
                  "product_id": "T055217"
                }
              },
              {
                "category": "product_version",
                "name": "9.3.13",
                "product": {
                  "name": "Splunk Splunk Enterprise 9.3.13",
                  "product_id": "T055217-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:splunk:splunk:9.3.13"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Splunk Enterprise"
          }
        ],
        "category": "vendor",
        "name": "Splunk"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-20251",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20251"
    },
    {
      "cve": "CVE-2026-20252",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20252"
    },
    {
      "cve": "CVE-2026-20254",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20254"
    },
    {
      "cve": "CVE-2026-20255",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20255"
    },
    {
      "cve": "CVE-2026-20256",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20256"
    },
    {
      "cve": "CVE-2026-20257",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20257"
    },
    {
      "cve": "CVE-2026-20258",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20258"
    },
    {
      "cve": "CVE-2026-20259",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214",
          "T055213"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20259"
    },
    {
      "cve": "CVE-2026-20253",
      "product_status": {
        "known_affected": [
          "T055217",
          "T055216",
          "T055215",
          "T055214"
        ]
      },
      "release_date": "2026-06-10T22:00:00.000+00:00",
      "title": "CVE-2026-20253"
    }
  ]
}

CVE-2026-20251 (GCVE-0-2026-20251)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-11 03:55

Title

Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app. The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0601

Impacted products

3 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.3.2512 , < 10.3.2512.12 (custom) Affected: 10.2.2510 , < 10.2.2510.14 (custom) Affected: 10.1.2507 , < 10.1.2507.22 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom)
Splunk	Splunk Secure Gateway	Affected: 3.10 , < 3.10.6 (custom) Affected: 3.9 , < 3.9.20 (custom) Affected: 3.8 , < 3.8.67 (custom)

Date Public

2026-06-10 00:00

Credits

M Mahdan Argya Syarif (0xbeludan)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20251",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T03:55:39.372Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.12",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.13",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.3.2512.12",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.14",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.22",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.132",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Secure Gateway",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "3.10.6",
              "status": "affected",
              "version": "3.10",
              "versionType": "custom"
            },
            {
              "lessThan": "3.9.20",
              "status": "affected",
              "version": "3.9",
              "versionType": "custom"
            },
            {
              "lessThan": "3.8.67",
              "status": "affected",
              "version": "3.8",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "M Mahdan Argya Syarif (0xbeludan)"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.\u003cbr\u003e\u003cbr\u003eThe Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the \u2018jsonpickle\u2019 Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.\u003cbr\u003e\u003cbr\u003eThe Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the \u2018jsonpickle\u2019 Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:16:00.352Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0601"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0601"
      },
      "title": "Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20251",
    "datePublished": "2026-06-10T17:16:00.352Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-11T03:55:39.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20252 (GCVE-0-2026-20252)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:23

Title

Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.

Severity

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0602

Impacted products

2 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.4.2604 , < 10.4.2604.3 (custom) Affected: 10.3.2512 , < 10.3.2512.12 (custom) Affected: 10.2.2510 , < 10.2.2510.14 (custom) Affected: 10.1.2507 , < 10.1.2507.22 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom)

Date Public

2026-06-10 00:00

Credits

M Mahdan Argya Syarif (0xbeludan)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20252",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:23:29.592434Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:23:36.803Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.12",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.13",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.4.2604.3",
              "status": "affected",
              "version": "10.4.2604",
              "versionType": "custom"
            },
            {
              "lessThan": "10.3.2512.12",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.14",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.22",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.132",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "M Mahdan Argya Syarif (0xbeludan)"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.  \n\nThe vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.  \n\nThe vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:16:19.518Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0602"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0602"
      },
      "title": "Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20252",
    "datePublished": "2026-06-10T17:16:19.518Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-10T18:23:36.803Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20253 (GCVE-0-2026-20253)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-16 03:55

Title

Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Summary

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-306 - The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0603

Impacted products

1 product

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom)

Date Public

2026-06-10 00:00

Credits

Alex Hordijk (hordalex)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20253",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T03:55:50.493Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Alex Hordijk (hordalex)"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service."
            }
          ],
          "value": "In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T20:33:56.243Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0603"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0603"
      },
      "title": "Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20253",
    "datePublished": "2026-06-10T17:16:21.242Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-16T03:55:50.493Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20254 (GCVE-0-2026-20254)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:15 – Updated: 2026-06-10 18:27

Title

Information Disclosure through External Content Restriction Bypass in Splunk Enterprise

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection. The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.

Severity

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0604

Impacted products

2 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.3.2512 , < 10.3.2512.13 (custom) Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom)

Date Public

2026-06-10 00:00

Credits

Fredrik Alexandersson (stok)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20254",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:26:45.451095Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:27:01.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.12",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.13",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.3.2512.13",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.15",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.23",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.132",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Fredrik Alexandersson (stok)"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.\u003cbr\u003e\u003cbr\u003eThe Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.\u003cbr\u003e\u003cbr\u003eThe Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:15:59.452Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0604"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0604"
      },
      "title": "Information Disclosure through External Content Restriction Bypass in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20254",
    "datePublished": "2026-06-10T17:15:59.452Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-10T18:27:01.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20255 (GCVE-0-2026-20255)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:25

Title

Improper Input Validation through Classic Dashboards in Splunk Enterprise

Summary

Severity

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0605

Impacted products

2 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.3.2512 , < 10.3.2512.13 (custom) Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom)

Date Public

2026-06-10 00:00

Credits

Tony Tong (tongster)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20255",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:25:06.072954Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:25:12.492Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.12",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.13",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.3.2512.13",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.15",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.23",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.132",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Tony Tong (tongster)"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.  \n\nThe vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.  \n\nThe vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:16:00.962Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0605"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0605"
      },
      "title": "Improper Input Validation through Classic Dashboards in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20255",
    "datePublished": "2026-06-10T17:16:00.962Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-10T18:25:12.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20256 (GCVE-0-2026-20256)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:15 – Updated: 2026-06-10 18:19

Title

Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link. The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.

Severity

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0606

Impacted products

2 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.3.2512 , < 10.3.2512.13 (custom) Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom)

Date Public

2026-06-10 00:00

Credits

Tony Tong (tongster)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20256",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:18:59.939227Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:19:26.044Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.12",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.13",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.3.2512.13",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.15",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.23",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.132",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Tony Tong (tongster)"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.\u003cbr\u003e\u003cbr\u003eThe vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \u0027admin\u0027 or \u0027power\u0027 Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.\u003cbr\u003e\u003cbr\u003eThe vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:15:55.966Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0606"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0606"
      },
      "title": "Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20256",
    "datePublished": "2026-06-10T17:15:55.966Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-10T18:19:26.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20257 (GCVE-0-2026-20257)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:24

Title

Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

Severity

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0607

Impacted products

2 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.3.2512 , < 10.3.2512.13 (custom) Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom)

Date Public

2026-06-10 00:00

Credits

Tony Tong (tongster)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20257",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:23:55.427272Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:24:02.482Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.12",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.13",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.3.2512.13",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.15",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.23",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.132",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Tony Tong (tongster)"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it.  \n\nThe exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List.  \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it.  \n\nThe exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List.  \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:16:03.885Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0607"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0607"
      },
      "title": "Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20257",
    "datePublished": "2026-06-10T17:16:03.885Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-10T18:24:02.482Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20258 (GCVE-0-2026-20258)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:22

Title

Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

Severity

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-79 - The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0608

Impacted products

2 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom) Affected: 9.4 , < 9.4.12 (custom) Affected: 9.3 , < 9.3.13 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.3.2512 , < 10.3.2512.11 (custom) Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 9.3.2411 , < 9.3.2411.132 (custom)

Date Public

2026-06-10 00:00

Credits

Tony Tong

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20258",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:22:19.768336Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:22:27.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "9.4.12",
              "status": "affected",
              "version": "9.4",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.13",
              "status": "affected",
              "version": "9.3",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.3.2512.11",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.15",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.23",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.132",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Tony Tong"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user.  \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user.  \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:16:23.870Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0608"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0608"
      },
      "title": "Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20258",
    "datePublished": "2026-06-10T17:16:23.870Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-10T18:22:27.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20259 (GCVE-0-2026-20259)

Vulnerability from cvelistv5 – Published: 2026-06-10 17:16 – Updated: 2026-06-10 18:24

Title

Improper Access Control in Splunk Enterprise

Summary

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-284 - The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigner

cisco

References

1 reference

URL	Tags
https://advisory.splunk.com/advisories/SVD-2026-0609

Impacted products

2 products

Vendor	Product	Version
Splunk	Splunk Enterprise	Affected: 10.2 , < 10.2.4 (custom) Affected: 10.0 , < 10.0.7 (custom)
Splunk	Splunk Cloud Platform	Affected: 10.3.2512 , < 10.3.2512.12 (custom) Affected: 10.2.2510 , < 10.2.2510.15 (custom) Affected: 10.1.2507 , < 10.1.2507.23 (custom) Affected: 10.0.2503 , < 10.0.2503.14 (custom) Affected: 9.3.2411 , < 9.3.2411.131 (custom)

Date Public

2026-06-10 00:00

Credits

Andres Perez, Splunk

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20259",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T18:24:17.180120Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T18:24:37.870Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Splunk Enterprise",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.2.4",
              "status": "affected",
              "version": "10.2",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.7",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Splunk Cloud Platform",
          "vendor": "Splunk",
          "versions": [
            {
              "lessThan": "10.3.2512.12",
              "status": "affected",
              "version": "10.3.2512",
              "versionType": "custom"
            },
            {
              "lessThan": "10.2.2510.15",
              "status": "affected",
              "version": "10.2.2510",
              "versionType": "custom"
            },
            {
              "lessThan": "10.1.2507.23",
              "status": "affected",
              "version": "10.1.2507",
              "versionType": "custom"
            },
            {
              "lessThan": "10.0.2503.14",
              "status": "affected",
              "version": "10.0.2503",
              "versionType": "custom"
            },
            {
              "lessThan": "9.3.2411.131",
              "status": "affected",
              "version": "9.3.2411",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Andres Perez, Splunk"
        }
      ],
      "datePublic": "2026-06-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control."
            }
          ],
          "value": "In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:16:02.256Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "url": "https://advisory.splunk.com/advisories/SVD-2026-0609"
        }
      ],
      "source": {
        "advisory": "SVD-2026-0609"
      },
      "title": "Improper Access Control in Splunk Enterprise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2026-20259",
    "datePublished": "2026-06-10T17:16:02.256Z",
    "dateReserved": "2025-10-08T11:59:15.401Z",
    "dateUpdated": "2026-06-10T18:24:37.870Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1877

CVE-2026-20251 (GCVE-0-2026-20251)

CVE-2026-20252 (GCVE-0-2026-20252)

CVE-2026-20253 (GCVE-0-2026-20253)

CVE-2026-20254 (GCVE-0-2026-20254)

CVE-2026-20255 (GCVE-0-2026-20255)

CVE-2026-20256 (GCVE-0-2026-20256)

CVE-2026-20257 (GCVE-0-2026-20257)

CVE-2026-20258 (GCVE-0-2026-20258)

CVE-2026-20259 (GCVE-0-2026-20259)

Tags

Sightings

Nomenclature