HIGH 7.1

CVE-2026-20258: Splunk Enterprise & Cloud Platform Stored XSS in Dashboard HTML Panels

A stored cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged user without admin or power roles to inject malicious JavaScript into a classic dashboard HTML panel. When another user views that dashboard, the attacker's code executes in their browser with their privileges. The attack requires social engineering—the attacker must trick the victim into triggering a request—meaning it cannot be exploited automatically but relies on user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-79
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-20258 is a stored XSS vulnerability (CWE-79) affecting Splunk's classic dashboard HTML panel functionality. A user with minimal privileges can store malicious JavaScript that persists in the dashboard configuration. When a second user accesses the dashboard, the injected script executes in their browser context without additional user consent. The vulnerability has a CVSS 3.1 score of 7.1 (HIGH) with a vector reflecting network access, high attack complexity (due to UI/phishing requirement), low privilege requirement, required user interaction, and high impact to confidentiality, integrity, and availability within the session scope.

Business impact

Successful exploitation could allow an attacker to steal session tokens, manipulate dashboard data displayed to other users, redirect users to malicious sites, or harvest credentials. In Splunk environments managing sensitive operational data, logs, or security information, this could lead to unauthorized data access or actionable intelligence about infrastructure and security controls. The impact scales with dashboard visibility—dashboards viewed by many users or admins amplify the potential for lateral movement or privilege escalation.

Affected systems

Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 are vulnerable. Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132 are affected. Organizations running any of these versions should prioritize inventory and patching. Splunk versions at or above these thresholds have remediation in place.

Exploitability

While the CVSS score is HIGH (7.1), actual exploitability is constrained by two factors: (1) the attacker must hold a non-admin, non-power user role, meaning they need valid credentials or compromise of a low-privileged account, and (2) the attack requires phishing or social engineering to induce the victim to access the malicious dashboard. There is no evidence of automated or opportunistic exploitation in the wild (KEV status is false). This makes it a targeted attack vector rather than a widespread threat, though determined adversaries with internal access could weaponize it.

Remediation

Upgrade Splunk Enterprise to version 10.2.4, 10.0.7, 9.4.12, or 9.3.13 or later, depending on your current release line. Upgrade Splunk Cloud Platform to version 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132 or later. Verify against Splunk's official advisory for your specific version and deployment model to confirm the correct patch. As an interim mitigation, restrict low-privileged user permissions to create or edit classic dashboards and review existing dashboard permissions and content for suspicious scripts.

Patch guidance

Splunk has released patches across multiple version branches to address this vulnerability. Cloud customers should verify their current platform version and apply updates according to Splunk's patch schedule. Enterprise customers should test patches in a staging environment before production deployment, as dashboard functionality is typically user-facing and updates may require brief downtime or cache clearing. Verify the exact patch version required for your release line in Splunk's security advisory.

Detection guidance

Monitor Splunk audit logs for low-privileged users creating or modifying classic dashboards, particularly those with HTML panels. Look for suspicious JavaScript patterns (e.g., fetch, XMLHttpRequest, localStorage access) in dashboard XML configurations. Review dashboard change history and compare XML before and after modifications. Correlate dashboard modifications with subsequent user session anomalies (unusual data access, credential submissions to external URLs). Consider deploying a Web Application Firewall (WAF) or browser security controls in front of Splunk to detect or block injected scripts, though this is a secondary measure to patching.

Why prioritize this

This vulnerability warrants prompt patching because it affects multiple versions across two product lines and combines stored persistence with high-impact confidentiality and integrity risks. While exploitability is limited by privilege and social engineering requirements, organizations with diverse user bases or permissive dashboard-creation policies face meaningful risk. Prioritize patching systems accessible to many users or those managing sensitive data. The HIGH CVSS score and lack of automatic mitigation justify rapid deployment once tested.

Risk score, explained

CVSS 3.1 score of 7.1 reflects: Network attack vector (AV:N) due to browser-based exploitation, high attack complexity (AC:H) because social engineering and user interaction are required, low privilege requirement (PR:L) since non-admin users can trigger it, required user interaction (UI:R) to view the malicious dashboard, unchanged scope (S:U) as impact is limited to the affected application, and high confidentiality, integrity, and availability impact (C:H/I:H/A:H) within that scope. The HIGH severity is appropriate for a stored XSS with broad impact, though the social engineering barrier moderates the practical risk.

Frequently asked questions

Can this vulnerability be exploited without the victim's interaction?

No. The attacker must store malicious code in a dashboard, but the victim must then view that dashboard for the code to execute. The attacker cannot trigger execution remotely; they rely on phishing or social engineering to convince the victim to access the dashboard.

Do I need admin privileges to be affected by this vulnerability?

No, you do not need admin privileges to be affected. Any user, including low-privileged ones, can be a victim if they view a compromised dashboard. However, only users without admin or power roles can inject the malicious payload—meaning the attacker must either be a low-privileged user or compromise one.

What should I do if I cannot patch immediately?

As an interim step, restrict dashboard creation and modification permissions to trusted, high-privileged users only. Audit existing dashboards for suspicious HTML or JavaScript content. Educate users not to view dashboards from untrusted sources or unexpected links. Monitor for dashboard modifications by low-privileged accounts. These measures reduce risk but do not eliminate the vulnerability; patching is the definitive fix.

Is this vulnerability currently being exploited in the wild?

There is no evidence of active exploitation (KEV status is not assigned). However, this does not mean exploitation will not occur. Organizations should treat this as a credible risk and patch according to their update schedule, prioritizing systems with high user volume or sensitive data.

This analysis is provided for informational purposes and reflects information available as of the publication date. Patch versions, affected product versions, and specific remediation steps should be verified against Splunk's official security advisory and your organization's deployment documentation. This advisory does not constitute legal advice or a guarantee of security. Organizations are responsible for assessing the risk and applying patches according to their security policies and operational constraints. Proof-of-concept code is not provided; this advisory is intended for defensive and planning purposes only. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).