Splunk Enterprise Flaws Let Attackers Execute Malicious Script

A series of security advisories, released on June 10, 2026, details multiple high and critical vulnerabilities within Splunk Enterprise. These flaws could enable attackers to execute malicious scripts, exfiltrate sensitive data, and perform unauthorized file operations.

The most severe flaw, tracked as CVE-2026-20253, carries a CVSS score of 9.8 and affects Splunk Enterprise versions below 10.2.4 and 10.0.7.

The issue stems from missing authentication controls in a PostgreSQL sidecar service endpoint, allowing unauthenticated attackers to create or truncate arbitrary files.

This could lead to full system compromise, data destruction, or the persistence of malicious code without requiring user interaction.

Another high-severity vulnerability, CVE-2026-20258 (CVSS 7.1), involves stored cross-site scripting (XSS) in classic dashboards.

Splunk Enterprise Vulnerabilities

A low-privileged user can inject malicious JavaScript into dashboard HTML panels, which executes in the victim’s browser when they view the dashboard.

However, exploitation requires social engineering, as attackers must trick users into opening a crafted request.

Splunk also addressed a server-side request forgery (SSRF) vulnerability, CVE-2026-20252 (CVSS 7.6), in the Dashboard Studio PDF export feature.

The flaw allows attackers to send requests to internal systems by bypassing domain validation using crafted subdomains or redirect chains, could expose internal services or sensitive data.

Several medium-severity vulnerabilities (CVE-2026-20254, CVE-2026-20255, CVE-2026-20256, and CVE-2026-20257) affect classic dashboards and stem from improper input validation.

These issues enable data exfiltration via CSS injection, protocol-relative URLs, and insufficient validation of external content.

In these scenarios, attackers with low privileges can craft malicious dashboards that extract sensitive data when accessed by higher-privileged users.

For example, an attacker could create a dashboard containing a hidden request to an external server.

When an administrator views the dashboard, sensitive session data or tokens could be silently transmitted to the attacker-controlled domain.

All vulnerabilities primarily impact Splunk Web components and require some level of user interaction or misconfiguration, such as enabling embeddable HTML content or insufficiently restricting trusted domains.

Splunk has released patches addressing these issues across supported versions. Users are advised to upgrade to Splunk Enterprise 10.4.0, 10.2.4, 10.0.7, 9.4.12, or 9.3.13, and to the corresponding Splunk Cloud Platform versions.

As mitigations, organizations should disable Splunk Web when not required, restrict dashboard-creation permissions, and enforce strict trusted-domain policies. Keeping the setting “dashboard_html_allow_embeddable_content” disabled also reduces the risk of XSS exploitation.

No detection signatures have been provided for these vulnerabilities, increasing the importance of timely patching and configuration hardening.

Given Splunk’s widespread use in security operations and log analysis, successful exploitation could grant attackers access to highly sensitive operational and security data, making these vulnerabilities particularly critical in enterprise environments.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.