What is the CVSS score of CVE-2026-20254?

CVE-2026-20254 has a CVSS 3.1 base score of 5.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.

Is there a patch available for CVE-2026-20254?

Yes, a patch is available for CVE-2026-20254. Update the affected software to the latest version immediately.

Splunk Enterprise CVE-2026-20254

EUVD-2026-36081 MEDIUM

Improper Input Validation (CWE-20)

2026-06-10 cisco

GHSA-c58f-cc4q-2mvj

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform

5.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.7 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Jun 10, 2026 - 20:01 EUVD

Analysis Generated

Jun 10, 2026 - 18:59 vuln.today

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.

AnalysisAI

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data exfiltration by low-privileged users targeting higher-privileged accounts. A low-privileged user (without 'admin' or 'power' roles) can craft a malicious classic dashboard containing injected CSS via inline style attributes; when a higher-privileged user views the dashboard, outbound HTTP requests are triggered to attacker-controlled external servers, bypassing the Trusted Domains restriction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privileged Splunk account

Delivery

Craft classic dashboard with CSS injection payload

Exploit

Position dashboard for admin visibility

Execution

Admin user opens dashboard in browser

Persist

Browser processes injected CSS and issues outbound request

Impact

Sensitive data or session credentials exfiltrated to attacker server

Access

Obtain low-privileged Splunk account

Delivery

Craft classic dashboard with CSS injection payload

Exploit

Position dashboard for admin visibility

Execution

Admin user opens dashboard in browser

Persist

Browser processes injected CSS and issues outbound request

Impact

Sensitive data or session credentials exfiltrated to attacker server

Vulnerability AssessmentAI

Exploitation	The attacker must hold a valid low-privileged Splunk account that does not have the 'admin' or 'power' role. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS base score of 5.7 (Medium) reflects the required user interaction (UI:R) and low-privilege prerequisite (PR:L), which temper what would otherwise be a more severe rating given the C:H confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with a low-privileged Splunk account crafts a classic dashboard embedding CSS injection payloads in inline style attributes - for example, using a CSS url() directive pointing to an attacker-controlled server - then saves or shares the dashboard in a location accessible to administrative users. When a higher-privileged user opens the dashboard in their browser, their Splunk session triggers the CSS-driven outbound request, potentially transmitting session tokens or credential material to the attacker's server. …
Remediation	The primary remediation is to upgrade to a patched release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20253 CRITICAL Act Now

9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-20258 HIGH This Week

7.1 Jun 10

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below

CVE-2026-20255 MEDIUM This Month

5.7 Jun 10

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authentica

CVE-2026-20256 MEDIUM This Month