Skip to main content

Splunk Enterprise CVE-2026-20257

| EUVD-2026-36085 MEDIUM
Improper Input Validation (CWE-20)
2026-06-10 cisco GHSA-73fj-f5qc-x4jf
Information Disclosure Splunk Splunk Enterprise Splunk Cloud Platform
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
vuln.today AI
5.7 MEDIUM

Network-accessible dashboard feature exploited by authenticated low-privilege user; victim interaction mandatory; only browser-side confidentiality impacted with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 20:36 vuln.today
Patch available
Jun 10, 2026 - 20:01 EUVD

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it.

The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List.

The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

AnalysisAI

Classic dashboard style attribute injection in Splunk Enterprise and Splunk Cloud Platform enables a low-privileged authenticated user to craft panels that bypass the Trusted Domains List and exfiltrate sensitive data from a higher-privileged user's browser session. Affected branches span Splunk Enterprise below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and multiple Splunk Cloud Platform release trains. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates with low-privilege Splunk account
Delivery
Craft classic dashboard panel with injected CSS style attribute referencing attacker domain
Exploit
Share or link malicious dashboard to target higher-privileged user
Execution
Phish victim into opening dashboard in browser
Persist
Victim browser exfiltrates sensitive data via outbound request to attacker domain
Impact
Attacker captures session tokens or sensitive response data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid Splunk account with at least low-level privileges, explicitly excluding the 'admin' and 'power' roles, and must have permission to create and share classic dashboards within the Splunk instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.7 (Medium) accurately captures the conditional nature of this flaw: while the attack vector is network-based and complexity is low, both low privileges (PR:L) and required user interaction (UI:R) constrain real-world exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Splunk user creates a classic dashboard containing a panel with a crafted CSS style attribute - for example, a background-image referencing an attacker-controlled server - then socially engineers a higher-privileged user such as an admin into opening that dashboard via a phishing message or a shared link in a collaboration channel. When the admin's browser renders the dashboard, it issues an outbound HTTP request to the attacker's server, including HTTP headers that may contain session cookies or authentication tokens, which the attacker captures and uses to impersonate the victim. …
Remediation Upgrade Splunk Enterprise to version 10.2.4, 10.0.7, 9.4.12, or 9.3.13 (or later within the respective branch) as confirmed by the vendor advisory SVD-2026-0607 at https://advisory.splunk.com/advisories/SVD-2026-0607. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20253 CRITICAL
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-20258 HIGH
7.1 Jun 10

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below
CVE-2026-20254 MEDIUM
5.7 Jun 10

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data ex
CVE-2026-20255 MEDIUM
5.7 Jun 10

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authentica

Share

CVE-2026-20257 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy