Skip to main content

Splunk Enterprise EUVD-2026-36089

| CVE-2026-20258 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 cisco GHSA-xg25-vr2h-r356
XSS Splunk
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 20:01 EUVD
Analysis Generated
Jun 10, 2026 - 18:36 vuln.today

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user.

The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

AnalysisAI

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132) allows a low-privileged authenticated user - without 'admin' or 'power' roles - to embed malicious JavaScript inside a classic dashboard HTML panel that executes in another user's browser session. Exploitation requires phishing the victim into initiating a specific browser request, and no public exploit was identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged Splunk account
Delivery
Create classic dashboard with HTML panel
Exploit
Embed malicious JavaScript payload
Install
Phish target admin/analyst
C2
Victim browser initiates triggering request
Execute
Payload executes in victim session
Impact
Hijack privileged Splunk actions and data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must already hold a valid Splunk account with a non-admin, non-power role that retains the ability to create or edit a classic dashboard with an HTML panel - Dashboard Studio dashboards are not in scope. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, score 7.1) reflects a realistic trade-off: network reachable and producing High C/I/A impact in the victim's session, but tempered by High attack complexity, Low privileges required, and User Interaction required - Splunk's own text reinforces this by stating 'the low-privileged user should not be able to exploit the vulnerability at will' and that phishing is required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user holding only a low-privileged Splunk role (not 'admin' or 'power') authors a classic dashboard containing an HTML panel laced with attacker-controlled JavaScript and shares a crafted link, then phishes a Splunk administrator into clicking it; when the admin's browser initiates the required request, the JavaScript executes in their authenticated Splunk session and can exfiltrate data, issue API calls, or pivot to administrative actions. No public exploit was identified at time of analysis, and the High attack complexity reflects the need to engineer the phishing flow that triggers the vulnerable code path.
Remediation Vendor-released patches are available: upgrade Splunk Enterprise to 10.2.4, 10.0.7, 9.4.12, or 9.3.13 (matching your current maintenance branch), per the advisory at https://advisory.splunk.com/advisories/SVD-2026-0608; Splunk Cloud Platform customers should confirm they have been rolled forward to 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132 since that is vendor-operated. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all Splunk Enterprise instances running versions below 10.2.4, 10.0.7, 9.4.12, or 9.3.13, and Splunk Cloud Platform instances below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20253 CRITICAL
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-20254 MEDIUM
5.7 Jun 10

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data ex
CVE-2026-20255 MEDIUM
5.7 Jun 10

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authentica
CVE-2026-20256 MEDIUM
5.7 Jun 10

Classic dashboard drill-down links in Splunk Enterprise and Splunk Cloud Platform can be weaponized by low-privileged au

Share

EUVD-2026-36089 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy