CVE-2026-20257

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://advisory.splunk.com/advisories/SVD-2026-0607	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*

Configuration 2 (hide)

OR	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::

History

15 Jun 2026, 14:05

Type	Values Removed	Values Added
CPE		cpe:2.3:a:splunk:splunk_cloud_platform:::::::: cpe:2.3:a:splunk:splunk:::::enterprise:::*
References	~~() https://advisory.splunk.com/advisories/SVD-2026-0607 -~~	() https://advisory.splunk.com/advisories/SVD-2026-0607 - Vendor Advisory
First Time		Splunk splunk Splunk Splunk splunk Cloud Platform

10 Jun 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-10 18:16

Updated : 2026-06-17 10:17

NVD link : CVE-2026-20257

Mitre link : CVE-2026-20257

CVE.ORG link : CVE-2026-20257

JSON object : View

Products Affected

splunk

splunk_cloud_platform
splunk

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2026-20257", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-20257", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-10T18:23:55.427272Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "psirt@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "affected": [{"source": "psirt@cisco.com", "affectedData": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.2", "lessThan": "10.2.4", "versionType": "custom"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.7", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.12", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.13", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.3.2512", "lessThan": "10.3.2512.13", "versionType": "custom"}, {"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.15", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.23", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.132", "versionType": "custom"}]}]}], "published": "2026-06-10T18:16:41.257", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0607", "tags": ["Vendor Advisory"], "source": "psirt@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@cisco.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. \n\nThe exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. \n\nThe vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will."}], "lastModified": "2026-06-17T10:17:20.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "B9D80F1C-F849-4D62-B82A-6B8963EEEBFB", "versionEndExcluding": "9.3.13", "versionStartIncluding": "9.3.0"}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "423B8DF2-B7A5-41AA-9CFD-75B2FD503ACC", "versionEndExcluding": "9.4.12", "versionStartIncluding": "9.4.0"}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "0C9F1DED-280E-4C76-A867-A7A8FCBD1F7A", "versionEndExcluding": "10.0.7", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "E3B992C0-AD5E-43A1-BAA3-6B11FFD5D750", "versionEndExcluding": "10.2.4", "versionStartIncluding": "10.2.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88A68C7C-BE2C-465C-812B-8F211A8AE935", "versionEndExcluding": "9.3.2411.132", "versionStartIncluding": "9.3.2411"}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84E3B0CD-9909-4F06-9ABE-763705D501C3", "versionEndExcluding": "10.1.2507.23", "versionStartIncluding": "10.1.2507"}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71B91525-F2D6-4699-8D6B-8D375A8785EE", "versionEndExcluding": "10.2.2510.15", "versionStartIncluding": "10.2.2510"}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6387100F-0867-4B83-8071-BA1FCE023B2F", "versionEndExcluding": "10.3.2512.13", "versionStartIncluding": "10.3.2512"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@cisco.com"}