What is the CVSS score of CVE-2026-20255?

CVE-2026-20255 has a CVSS 3.1 base score of 5.7 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.

Is there a patch available for CVE-2026-20255?

Yes, a patch is available for CVE-2026-20255. Update the affected software to the latest version immediately.

Splunk Enterprise CVE-2026-20255

EUVD-2026-36083 MEDIUM

Improper Input Validation (CWE-20)

2026-06-10 cisco

GHSA-hw35-mvfj-v86g

Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform

5.7

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

5.7 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Jun 10, 2026 - 20:01 EUVD

Analysis Generated

Jun 10, 2026 - 19:00 vuln.today

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.

The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard.

AnalysisAI

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authenticated users to craft dashboards that silently exfiltrate sensitive data to attacker-controlled external servers. The flaw (CWE-20) resides in the external content dialog, which fails to enforce complete domain restrictions, allowing outbound requests to untrusted hosts when a victim interacts with the malicious dashboard. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker authenticates with low-privilege Splunk account

Delivery

Craft malicious classic dashboard embedding external content URL

Exploit

Target attacker-controlled exfiltration endpoint in external content dialog

Execution

Social-engineer victim user to open crafted dashboard

Persist

Victim interaction triggers outbound HTTP request

Impact

Sensitive Splunk data exfiltrated to attacker server

Access

Attacker authenticates with low-privilege Splunk account

Delivery

Craft malicious classic dashboard embedding external content URL

Exploit

Target attacker-controlled exfiltration endpoint in external content dialog

Execution

Social-engineer victim user to open crafted dashboard

Persist

Victim interaction triggers outbound HTTP request

Impact

Sensitive Splunk data exfiltrated to attacker server

Vulnerability AssessmentAI

Exploitation	The attacker must hold a valid Splunk account with at least low-level privilege (PR:L per CVSS vector), but specifically must NOT hold the 'admin' or 'power' Splunk roles - these are the excluded tiers, meaning the vulnerable actor class is standard low-privileged users such as basic analysts or read-only accounts with dashboard creation rights. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS base score of 5.7 (Medium) is contextually appropriate given the PR:L (low privilege required) and UI:R (user interaction required) constraints that gate exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker holding a low-privileged Splunk account (absent 'admin' or 'power' roles) constructs a classic dashboard embedding an external content element with a crafted URL pointing to an attacker-controlled server. The attacker then socially engineers or phishes a higher-privileged victim user into viewing the dashboard, triggering an outbound HTTP request that carries sensitive Splunk data - such as search results containing log data, credentials, or tokens - to the external server. …
Remediation	The primary fix is to upgrade Splunk Enterprise to versions 10.2.4, 10.0.7, 9.4.12, or 9.3.13 depending on the installed release branch, and Splunk Cloud Platform to 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132 respectively, per vendor advisory SVD-2026-0605 at https://advisory.splunk.com/advisories/SVD-2026-0605. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20253 CRITICAL Act Now

9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-20258 HIGH This Week

7.1 Jun 10

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below

CVE-2026-20254 MEDIUM This Month

5.7 Jun 10

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data ex

CVE-2026-20256 MEDIUM This Month