These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A critical vulnerability, CVE-2026-20253, was found in Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14. This vulnerability allows an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The issue arises from the lack of authentication controls in the PostgreSQL sidecar service end [truncated]
CVE-2026-20260 is a log injection vulnerability in Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0. An unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths. A terminal emulator might interpret these codes when an administrator views the logs. The injec [truncated]
A vulnerability exists in Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131. A user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassign [truncated]
A vulnerability was found in Splunk Enterprise and Splunk Cloud Platform. A low-privileged user could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. This is possible because classic dashboard panels do not fully validate style attribute values, allowing requests to reach external domains outside the configured Trusted Domains List.
A vulnerability was found in Splunk Enterprise and Splunk Cloud Platform. The issue allows a low-privileged user to craft a malicious classic dashboard that can exfiltrate sensitive data to an external server. This is possible due to incomplete URL validation on the external content dialog, which can allow requests to untrusted domains when a user interacts with a crafted dashboard.
A vulnerability was discovered in Splunk Enterprise and Splunk Cloud Platform. A low-privileged user that does not hold the 'admin' or 'power' Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists due to trusted-domain validation using a prefix match that can be bypassed with attacker-controlled subdomains [truncated]
CVE-2026-20251 is a high-severity vulnerability affecting Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway. A low-privileged user without 'admin' or 'power' roles could exploit this vulnerability to achieve Remote Code Execution (RCE). The issue arises from the unsafe deserialization of App Key Value Store (KV Store) data via the 'jsonpickle' Python library.
CVE-2026-20240 was publicly published on 2026-05-20. According to the CVE description and NVD metadata, a low-privileged user who is not in the Splunk admin or power roles could cause a denial of service in affected Splunk Enterprise and Splunk Cloud Platform versions by abusing the coldToFrozen.sh script in the splunk_archiver app. The issue stems from missing input validation that allows arbitrary path [truncated]
CVE-2026-20239 was published on 2026-05-20 and describes a high-severity information exposure issue in Splunk Enterprise and Splunk Cloud Platform. According to the NVD record, a user whose role grants access to the _internal index could view session cookies and response bodies containing sensitive data. The reported CVSS v3.1 score is 7.5 (HIGH).
CVE-2026-20238 is a confidentiality issue in Splunk AI Toolkit versions below 5.7.3. A low-privileged user without the admin or power roles may access data that was intended to be restricted by srchFilter settings on custom roles. The issue arises because the app’s authorize.conf includes a srchFilter entry for the built-in user role, and Splunk’s search-filter inheritance behavior can combine filters in [truncated]
CVE-2017-5880 is a denial-of-service issue in Splunk Web. A remote authenticated user can send a crafted GET request that crashes the daemon, disrupting availability. The issue was publicly disclosed on 2017-02-04 and is rated CVSS 6.5 (Medium).
