PatchSiren cyber security CVE debrief
CVE-2026-20260 Splunk CVE debrief
CVE-2026-20260 is a log injection vulnerability in Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0. An unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths. A terminal emulator might interpret these codes when an administrator views the logs. The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.
- Vendor
- Splunk
- Product
- Splunk SOAR
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Splunk SOAR versions below 8.5.0 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 4.3 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The weakness is classified as CWE-117.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade Splunk SOAR to version 8.5.0 or later.
- Review and sanitize HTTP request paths to prevent injection of control characters.
- Monitor application logs for suspicious activity.
Evidence notes
The CVE record was published on 2026-06-10T18:16:41.643Z and modified on 2026-06-10T18:36:19.463Z. The vulnerability was reported by [email protected].
Official resources
-
CVE-2026-20260 CVE record
CVE.org
-
CVE-2026-20260 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-20260 was published on 2026-06-10T18:16:41.643Z.