SB2026061256 - Multiple vulnerabilities in Splunk Enterprise
Published: June 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-20258)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute unauthorized JavaScript code in another user's browser.
The vulnerability exists due to cross-site scripting in the classic dashboard HTML panel when processing stored dashboard content. A remote user can store a malicious script and trick the victim into initiating a request within their browser to execute unauthorized JavaScript code in another user's browser.
User interaction is required, and exploitation requires the dashboard_html_allow_embeddable_content setting to be enabled.
2) Input validation error (CVE-ID: CVE-2026-20257)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in classic dashboard CSS style attributes when rendering a crafted classic dashboard. A remote user can craft a classic dashboard to disclose sensitive information.
User interaction is required, and exploitation depends on a higher-privileged user viewing the crafted dashboard and initiating a request within their browser.
3) Input validation error (CVE-ID: CVE-2026-20256)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in classic dashboards when processing protocol-relative URLs in drill-down links. A remote user can create a crafted drill-down link to disclose sensitive information.
User interaction is required to follow the crafted link, and the external-navigation warning dialog is not shown.
4) Input validation error (CVE-ID: CVE-2026-20255)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in the external content dialog in classic dashboards when handling user-supplied URLs. A remote user can craft a malicious classic dashboard to disclose sensitive information.
User interaction is required with a crafted dashboard, and the issue affects users who do not hold the admin or power Splunk roles.
5) Input validation error (CVE-ID: CVE-2026-20254)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper input validation in Splunk Web classic dashboards when rendering a crafted dashboard containing inline CSS style attributes. A remote user can create a malicious dashboard to disclose sensitive information.
User interaction is required, and exploitation occurs when a higher-privileged user views the crafted dashboard. The issue bypasses the external content restriction and can trigger outbound requests to untrusted domains.
6) Missing Authentication for Critical Function (CVE-ID: CVE-2026-20253)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to create or truncate arbitrary files.
The vulnerability exists due to improper authentication in the PostgreSQL sidecar service endpoint when handling file operation requests. A remote attacker can send crafted requests to create or truncate arbitrary files.
The endpoint can be reached without credentials.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-20252)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to send server-side requests to arbitrary internal destinations.
The vulnerability exists due to improper control of server-side request targets in the Dashboard Studio PDF export feature when processing PDF export requests. A remote user can supply a crafted destination or redirect chain to send server-side requests to arbitrary internal destinations.
The issue is caused by trusted-domain validation that uses a prefix match and by automatic following of HTTP redirects without re-validating each redirect target against the allowlist.
8) Deserialization of Untrusted Data (CVE-ID: CVE-2026-20251)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to deserialization of untrusted data in the Splunk Secure Gateway app when processing App Key Value Store data through the jsonpickle Python library. A remote user can supply specially crafted JSON data to execute arbitrary code.
The issue affects users that do not hold the admin or power Splunk roles.
9) Improper access control (CVE-ID: CVE-2026-20259)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the ownership reassignment endpoint when reassigning saved search ownership. A remote privileged user can reassign saved search ownership to users outside their authorized scope to disclose sensitive information.
Exploitation requires a role that includes the edit_saved_search_owner capability.
Remediation
Install update from vendor's website.
References
- https://advisory.splunk.com/advisories/SVD-2026-0608
- https://advisory.splunk.com/advisories/SVD-2026-0607
- https://advisory.splunk.com/advisories/SVD-2026-0606
- https://advisory.splunk.com/advisories/SVD-2026-0605
- https://advisory.splunk.com/advisories/SVD-2026-0604
- https://advisory.splunk.com/advisories/SVD-2026-0603
- https://advisory.splunk.com/advisories/SVD-2026-0602
- https://advisory.splunk.com/advisories/SVD-2026-0601
- https://advisory.splunk.com/advisories/SVD-2026-0609