By vendor

Splunk vulnerabilities

Known CVEs affecting Splunk products, prioritized by severity, with SEC.co remediation and detection guidance.

8 published vulnerabilities

  • CVE-2026-20251HIGH 8.8

    A vulnerability in Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway allows low-privileged users without admin or power roles to execute arbitrary code remotely. The flaw stems from unsafe deserialization of data stored in Splunk's KV Store (key-value store) component. An attacker only needs basic user credentials to potentially compromise the entire Splunk environment. This is a serious issue because privilege escalation to code execution typically requires administrative access; this vulnerability bypasses that requirement entirely.

  • CVE-2026-20252HIGH 7.6

    A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users to make unauthorized server-side requests to internal systems through the PDF export feature in Dashboard Studio. The flaw stems from weak validation of trusted domains—attackers can bypass the allowlist by registering subdomains (e.g., docs.splunk.com.evil.com) and leveraging automatic HTTP redirect following to reach unintended targets. An authenticated user without admin or power roles can exploit this to probe or attack internal infrastructure.

  • CVE-2026-20258HIGH 7.1

    A stored cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged user without admin or power roles to inject malicious JavaScript into a classic dashboard HTML panel. When another user views that dashboard, the attacker's code executes in their browser with their privileges. The attack requires social engineering—the attacker must trick the victim into triggering a request—meaning it cannot be exploited automatically but relies on user interaction.

  • CVE-2026-20254MEDIUM 5.7

    A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users to create malicious dashboards that steal sensitive data when viewed by administrators or power users. The attack works by injecting CSS code into dashboard styling that bypasses Splunk's security controls designed to prevent outbound connections to untrusted servers. An attacker without admin privileges can craft a specially designed 'classic' dashboard that, when opened by someone with higher permissions, silently sends sensitive information—including credentials—to a server they control.

  • CVE-2026-20255MEDIUM 5.7

    Splunk Enterprise and Splunk Cloud Platform contain a vulnerability that allows low-privileged users to create malicious dashboards capable of stealing sensitive data. An attacker without admin or power user roles can craft a dashboard that bypasses URL validation protections, tricking users into sending data to external servers they control. The flaw stems from incomplete validation of URLs in the external content dialog, meaning attackers can direct requests to untrusted domains when legitimate users view the compromised dashboard.

  • CVE-2026-20256MEDIUM 5.7

    A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged user without admin or power roles to trick other users into visiting attacker-controlled websites through specially crafted dashboard links. The flaw exploits a gap in URL validation: Splunk's security check only blocks URLs starting with 'http://' or 'https://', but misses protocol-relative URLs like '//attacker.com'. When a victim clicks a malicious drill-down link in a classic dashboard, they are silently redirected without the warning dialog that normally appears for external navigation. This can lead to credential theft, malware infection, or data exfiltration if the attacker's site mimics a trusted service.

  • CVE-2026-20257MEDIUM 5.7

    A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged user to create a malicious dashboard that can steal sensitive data from higher-privileged users who view it. The attack works by bypassing security controls on dashboard styling, enabling the dashboard to send data to external websites. However, the attacker cannot trigger the theft automatically—they must trick a target into visiting the dashboard, typically through phishing. Once the target views it, their browser could leak information to attacker-controlled servers.

  • CVE-2026-20259MEDIUM 5.5

    A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows authenticated users with the `edit_saved_search_owner` capability to reassign ownership of saved searches to any user, including those outside their normal scope of access. The affected endpoint lacks proper authorization checks, creating an avenue for privilege escalation or lateral movement within Splunk deployments. The vulnerability requires an authenticated attacker with a specific high-privilege role, limiting but not eliminating risk in environments where role delegation is common.