Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
Multiple high and critical vulnerabilities in Splunk Enterprise could allow attackers to execute malicious scripts, exfiltrate sensitive data, and perform unauthorized file operations, according to a series of security advisories released on June 10, 2026. The most severe flaw, tracked as CVE-2026-20253, carries a CVSS score of 9.8 and affects Splunk Enterprise versions below 10.2.4 […] The post Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
Discover more
Penetration testing services
Incident response services
Cyber threat intelligence
HomeCyber Security News
Multiple Splunk Enterprise Vulnerabilities Allow Attackers to Execute Malicious Script
By Abinaya
June 11, 2026
Multiple high and critical vulnerabilities in Splunk Enterprise could allow attackers to execute malicious scripts, exfiltrate sensitive data, and perform unauthorized file operations, according to a series of security advisories released on June 10, 2026.
The most severe flaw, tracked as CVE-2026-20253, carries a CVSS score of 9.8 and affects Splunk Enterprise versions below 10.2.4 and 10.0.7.
The issue stems from missing authentication controls in a PostgreSQL sidecar service endpoint, allowing unauthenticated attackers to create or truncate arbitrary files.
This could lead to full system compromise, data destruction, or the persistence of malicious code without requiring user interaction.
Another high-severity vulnerability, CVE-2026-20258 (CVSS 7.1), involves stored cross-site scripting (XSS) in classic dashboards.
Splunk Enterprise Vulnerabilities
A low-privileged user can inject malicious JavaScript into dashboard HTML panels, which executes in the victim’s browser when they view the dashboard.
However, exploitation requires social engineering, as attackers must trick users into opening a crafted request.
Splunk also addressed a server-side request forgery (SSRF) vulnerability, CVE-2026-20252 (CVSS 7.6), in the Dashboard Studio PDF export feature.
The flaw allows attackers to send requests to internal systems by bypassing domain validation using crafted subdomains or redirect chains, could expose internal services or sensitive data.
Several medium-severity vulnerabilities (CVE-2026-20254, CVE-2026-20255, CVE-2026-20256, and CVE-2026-20257) affect classic dashboards and stem from improper input validation.
These issues enable data exfiltration via CSS injection, protocol-relative URLs, and insufficient validation of external content.
In these scenarios, attackers with low privileges can craft malicious dashboards that extract sensitive data when accessed by higher-privileged users.
CVE ID Severity Vulnerability Impact
CVE-2026-20258 High (7.1) Stored XSS in Classic Dashboard HTML panel Arbitrary JavaScript execution in victim browser
CVE-2026-20257 Medium (5.7) CSS input validation flaw Data exfiltration to external domains
CVE-2026-20256 Medium (5.7) Protocol-relative URL validation flaw Redirect-based data exfiltration
CVE-2026-20255 Medium (5.7) External content dialog validation flaw Data exfiltration to untrusted domains
CVE-2026-20254 Medium (5.7) CSS restriction bypass Credential and data exfiltration
CVE-2026-20253 Critical (9.8) Unauthenticated file creation/truncation Full compromise of affected systems
CVE-2026-20252 High (7.6) SSRF in Dashboard Studio PDF export Access to internal resources and data exposure
For example, an attacker could create a dashboard containing a hidden request to an external server.
When an administrator views the dashboard, sensitive session data or tokens could be silently transmitted to the attacker-controlled domain.
All vulnerabilities primarily impact Splunk Web components and require some level of user interaction or misconfiguration, such as enabling embeddable HTML content or insufficiently restricting trusted domains.
Splunk has released patches addressing these issues across supported versions. Users are advised to upgrade to Splunk Enterprise 10.4.0, 10.2.4, 10.0.7, 9.4.12, or 9.3.13, and to the corresponding Splunk Cloud Platform versions.
As mitigations, organizations should disable Splunk Web when not required, restrict dashboard-creation permissions, and enforce strict trusted-domain policies. Keeping the setting “dashboard_html_allow_embeddable_content” disabled also reduces the risk of XSS exploitation.
No detection signatures have been provided for these vulnerabilities, increasing the importance of timely patching and configuration hardening.
Given Splunk’s widespread use in security operations and log analysis, successful exploitation could grant attackers access to highly sensitive operational and security data, making these vulnerabilities particularly critical in enterprise environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials
Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code
WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware
Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites
Anthropic Released Claude Fable 5, the First Model in Mythos Class
Latest News
Cyber Security News
China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation
Cyber Security News
Microsoft Exchange Server 0-Day Vulnerability Exploited in Attacks Using Weaponized Email
Cyber Security News
Ivanti Endpoint Manager Mobile Vulnerability Enables Remote Code Execution Attacks
Cyber Security
Anthropic’s Claude Fable 5 Jailbroken to Generate Stack Exploits
Cyber Security News
Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency