SB2026020468 - Splunk SOAR update for third-party components
Published: February 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-9288)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a missing type check when handling untrusted input that can lead to calculation of invalid values or rewinding the hash state. A remote attacker can pass specially crafted data to the application and bypass implemented security restrictions.
2) Input validation error (CVE-ID: CVE-2025-9287)
The vulnerability allows a remote attacker to manipulate data or perform a denial of service attack.
The vulnerability exists due to a missing type check of untrusted input. A remote attacker can manipulate data representation within the application, which can lead to denial of service conditions or various calculation errors when handling private keys or hashes.
3) Infinite loop (CVE-ID: CVE-2025-57810)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the addImage method. A remote attacker can consume all available system resources and cause denial of service conditions.
4) Resource exhaustion (CVE-ID: CVE-2025-32873)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the django.utils.html.strip_tags() function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Inefficient regular expression complexity (CVE-ID: CVE-2025-5889)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote user can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
6) Insufficiently protected credentials (CVE-ID: CVE-2024-47081)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the library leaks .netrc credentials to third parties for specific maliciously-crafted URLs. A remote attacker can gain access to sensitive information.
7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-47287)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive logging in the multipart/form-data parser. A remote attacker can force the application to generate an extremely high volume of logs and perform a denial of service (DoS) attack.
8) Input validation error (CVE-ID: CVE-2025-8715)
The vulnerability allows a remote user to execute arbitrary psql code.
The vulnerability exists in pg_dump due to insufficient validation of user-supplied input when handling new line characters. A remote attacker can trick the victim into loading a specially crafted backup and execute arbitrary psql code on the system.
9) Code Injection (CVE-ID: CVE-2025-8714)
The vulnerability allows a remote user to execute arbitrary psql code on the target system.
The vulnerability exists due to improper input validation in pg_dump. A malicious superuser of the origin server to inject arbitrary psql code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands, such as pg_dump, pg_dumpall, and pg_restore.
10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-8713)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. A remote user can gain access to sensitive information.
Remediation
Install update from vendor's website.