Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN628 _____________________________________________________________________ DATE : 12/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Splunk Enterprise versions prior to 10.4.0, 10.2.4, 10.0.7, 9.4.12, 9.3.13, Splunk Cloud Platform versions prior to 10.4.2604.3, 10.2.2510.15, 10.3.2512.13, 10.1.2507.23, 10.0.2503.14, 9.3.2411.132. ===================================================================== https://advisory.splunk.com/advisories/SVD-2026-0603 https://advisory.splunk.com/advisories/SVD-2026-0601 https://advisory.splunk.com/advisories/SVD-2026-0602 https://advisory.splunk.com/advisories/SVD-2026-0609 https://advisory.splunk.com/advisories/SVD-2026-0608 https://advisory.splunk.com/advisories/SVD-2026-0607 https://advisory.splunk.com/advisories/SVD-2026-0606 https://advisory.splunk.com/advisories/SVD-2026-0605 https://advisory.splunk.com/advisories/SVD-2026-0604 _____________________________________________________________________ Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise Advisory ID: SVD-2026-0603 CVE ID: CVE-2026-20253 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 9.8, Critical CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-306 Bug ID: VULN-67169 Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. See Secure Splunk Enterprise in the Splunk documentation for more information. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4 and 10.0.7, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 splunkd Not affected 10.4.0 Splunk Enterprise 10.2 splunkd 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 splunkd 10.0.0 to 10.0.6 10.0.7 Splunk Cloud Platform 10.4.2604 splunkd Below 10.4.2604.3 10.4.2604.3 Splunk Cloud Platform 10.2.2510 splunkd Below 10.2.2510.14 10.2.2510.14 Mitigations and Workarounds None Detections None Severity Splunk rates this vulnerability a 9.8, Critical, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Acknowledgments Alex Hordijk (hordalex) _____________________________________________________________________ Third-Party Package Updates in Splunk Enterprise - June 2026 Advisory ID: SVD-2026-0610 CVE ID: Multiple Published: 2026-06-10 Last Update: 2026-06-10 Description Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, 9.3.13, and higher. Package Remediation CVE Severity golang1 Upgraded golang to Go compiler in `compsup` binary to version go1.26.1 Multiple Critical MongoDB2 Upgraded MongoDB version 7.0.30 to version 7.0.31 and MongoDB version 8.0.19 to version 8.0.20 Multiple High aiohttp3 Upgraded aiohttp to version 3.13.5 Multiple Critical go.opentelemetry.io/otel/sdk4 Upgraded opentelemetry to version 1.43.0 CVE-2026-24051 High PostgreSQL5 Upgraded postgresql to version 17.8 Multiple High golang.org/x/crypto6 Upgraded golang crypto in `etcd, etcdctl, and etcdutl` binaries to version 0.48.0 Multiple High apache-log4j7 Upgraded apache-log4j version 2.17.2 to version 2.25.4 Multiple Medium cloudflare/circl8 Upgraded cloudflare/circl in `compsup` binary to version 1.6.3 CVE-2026-1229 Low cloudflare/circl9 Upgraded cloudflare/circl in `splunk-supervisor` binary to version 1.6.3 CVE-2026-1229 Low 1 Upgraded golang in compsup binary to Go compiler version go1.26.1 to remedy CVE-2025-68121, CVE-2025-61732, CVE-2025-61731, CVE-2025-61726, CVE-2026-25679, CVE-2026-27142 at /opt/splunk/bin/compsupin Splunk Enterprise 10.4.0 and 9.3.13. The fix was already applied in prior Splunk Enterprise versions 10.2.3, 10.0.6, and 9.4.11. 2 For Splunk Enterprise versions 9.4.12 and 10.0.7 for Linux and Windows, Splunk Enterprise upgraded MongoDB 7.0.30 to version 7.0.31 at $SPLUNK_HOME/bin/mongodto remedy CVE-2026-4147, CVE-2026-4148 and CVE-2026-4358. For Splunk Enterprise versions 10.2.4 for Linux and Windows, Splunk Enterprise upgraded MongoDB 8.0.19 to version 8.0.20 at $SPLUNK_HOME/bin/mongodto remedy CVE-2026-4147, CVE-2026-4148 and CVE-2026-4358. For Splunk Enterprise version 10.4.0 for Linux and Windows, Splunk Enterprise upgraded MongoDB 7.0.30 to version 7.0.31 and MongoDB 8.0.19 to version 8.0.20 at $SPLUNK_HOME/bin/mongodto remedy CVE-2026-4147, CVE-2026-4148 and CVE-2026-4358. 3 Upgraded aiohttp to version 3.13.5 to remedy CVE-2026-34516 and CVE-2026-34520 at $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp-3.13.3.dist-info/METADATAin Splunk Enterprise versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13. The fix is applied in Splunk Secure Gateway app versions 3.10.6, 3.9.20 and 3.8.67. 4 Upgraded opentelemetry to version 1.43.0 to remedy CVE-2026-24051 at $SPLUNK_HOME/packages/cmp-orchestrator-1.264.19+126da777-20260319t073336.tar.gz/splunk-cmp-orchestratorin Splunk Enterprise versions 10.4.0, 10.2.4 and 10.0.7. Splunk Enterprise versions 9.4.x and 9.3.x are not affected. 5 Upgraded postgresql to version 17.8 to remedy CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, and CVE-2026-2006 in Splunk Enterprise versions 10.4.0, 10.2.4 and 10.0.7. The Postgres sidecar is not present in Splunk Enterprise versions 9.4.x and 9.3.x. 6 Upgraded golang crypto in etcd, etcdctl, and etcdutl binaries to version 0.48.0 to remedy CVE-2025-47913, CVE-2025-58181, and CVE-2025-47914 in Splunk Enterprise versions 10.4.0 and 10.2.4. The etcd, etcdctl, and etcdutl binaries are not present in Splunk Enterprise versions 10.0.x, 9.4.x, 9.3.x. 7 Upgraded apache-log4j to version 2.25.4 to remedy CVE-2025-68161, CVE-2026-34480, CVE-2026-34477 in Splunk Enterprise versions 10.0.7, 9.4.12 and 9.3.13. Splunk Enterprise versions 10.2.x and 10.4.x does not have apache-log4j. 8 Upgraded cloudflare/circl in compsupbinary to version 1.6.3 to remedy CVE-2026-1229 at /opt/splunk/bin/compsup in Splunk Enterprise version 9.3.13. The fix was applied in prior Splunk Enterprise versions 10.0.6 and 9.4.11. 9 Upgraded cloudflare/circl in splunk-supervisorbinary to version 1.6.3 to remedy CVE-2026-1229 at /opt/splunk/bin/splunk-supervisor in Splunk Enterprise versions 10.4.0 and 10.2.4. Note for items 8 and 9: The affected binary name changed across Splunk Enterprise versions. In earlier Splunk Enterprise versions 10.0.x, 9.4.x and 10.3.x, this component is referenced as compsup at /opt/splunk/bin/compsup. In later Splunk Enterprise versions 10.2.x and 10.4.0, the same component is referenced as splunk-supervisor at /opt/splunk/bin/splunk-supervisor. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, 9.3.13, or higher. Product Status Product Base Version Affected Version Fix Version Splunk Enterprise 10.4 Below 10.4.0 10.4.0 Splunk Enterprise 10.2 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 9.3.0 to 9.3.12 9.3.13 Severity For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available. _____________________________________________________________________ Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway Advisory ID: SVD-2026-0601 CVE ID: CVE-2026-20251 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 8.8, High CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE: CWE-502 Bug ID: VULN-69217 Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app. The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation. See App Key Value Store and About role-based user access in the Splunk documentation for more information. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Secure Gateway Not affected N/A Splunk Enterprise 10.2 Splunk Secure Gateway 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Secure Gateway 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Secure Gateway 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 Splunk Secure Gateway 9.3.0 to 9.3.12 9.3.13 Splunk Cloud Platform 10.3.2512 Splunk Secure Gateway Below 10.3.2512.12 10.3.2512.12 Splunk Cloud Platform 10.2.2510 Splunk Secure Gateway Below 10.2.2510.14 10.2.2510.14 Splunk Cloud Platform 10.1.2507 Splunk Secure Gateway Below 10.1.2507.22 10.1.2507.22 Splunk Cloud Platform 9.3.2411 Splunk Secure Gateway Below 9.3.2411.132 9.3.2411.132 Splunk Secure Gateway 3.10 Below 3.10.6 3.10.6 Splunk Secure Gateway 3.9 Below 3.9.20 3.9.20 Splunk Secure Gateway 3.8 Below 3.8.67 3.8.67 Mitigations and Workarounds Turn off or remove the Splunk Secure Gateway app. See Manage app and add-on objects in the Splunk documentation. Note: Splunk Mobile, Spacebridge, and Mission Control rely on functionality in the Splunk Secure Gateway app. If you do not use any of these apps, features, or functionality, as a potential mitigation, you may turn off or remove the app. Detections None Severity Splunk rates this vulnerability an 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. If you remove or turn off the Splunk Secure Gateway app, there should be no impact and the severity would be Informational. Acknowledgments M Mahdan Argya Syarif (0xbeludan) _____________________________________________________________________ Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise Advisory ID: SVD-2026-0602 CVE ID: CVE-2026-20252 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 7.6, High CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L CWE: CWE-918 Bug ID: VULN-69892 Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist. See Secure Splunk Enterprise and Dashboard Studio in the Splunk documentation for more information. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Web Not affected 10.4.0 Splunk Enterprise 10.2 Splunk Web 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Web 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Web 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 Splunk Web 9.3.0 to 9.3.12 9.3.13 Splunk Cloud Platform 10.4.2604 Splunk Web Below 10.4.2604.3 10.4.2604.3 Splunk Cloud Platform 10.3.2512 Splunk Web Below 10.3.2512.12 10.3.2512.12 Splunk Cloud Platform 10.2.2510 Splunk Web Below 10.2.2510.14 10.2.2510.14 Splunk Cloud Platform 10.1.2507 Splunk Web Below 10.1.2507.22 10.1.2507.22 Splunk Cloud Platform 9.3.2411 Splunk Web Below 9.3.2411.132 9.3.2411.132 Mitigations and Workarounds None Detections None Severity Splunk rates this vulnerability a 7.6, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. Acknowledgments M Mahdan Argya Syarif (0xbeludan) _____________________________________________________________________ Improper Access Control in Splunk Enterprise Advisory ID: SVD-2026-0609 CVE ID: CVE-2026-20259 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 5.5, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N CWE: CWE-284 Bug ID: VULN-58322 Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability edit_saved_search_owner could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control. See Manage saved searches and reports and Define roles on the Splunk platform with capabilities in the Splunk documentation for more information. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4 and 10.0.7, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Web Not affected 10.4.0 Splunk Enterprise 10.2 Splunk Web 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Web 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Web Not affected N/A Splunk Enterprise 9.3 Splunk Web Not affected N/A Splunk Cloud Platform 10.4.2604.0 Splunk Web Not affected 10.4.2604.0 Splunk Cloud Platform 10.3.2512 Splunk Web Below 10.3.2512.12 10.3.2512.12 Splunk Cloud Platform 10.2.2510 Splunk Web Below 10.2.2510.15 10.2.2510.15 Splunk Cloud Platform 10.1.2507 Splunk Web Below 10.1.2507.23 10.1.2507.23 Splunk Cloud Platform 10.0.2503 Splunk Web Below 10.0.2503.14 10.0.2503.14 Splunk Cloud Platform 9.3.2411 Splunk Web Below 9.3.2411.131 9.3.2411.131 Mitigations and Workarounds None Detections None Severity Splunk rates this vulnerability a 5.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N. Acknowledgments Andres Perez, Splunk _____________________________________________________________________ Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise Advisory ID: SVD-2026-0608 CVE ID: CVE-2026-20258 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 7.1, High CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-79 Bug ID: VULN-66945 Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will. For information about role capabilities, see Define roles on the Splunk platform with capabilities. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Web Not affected N/A Splunk Enterprise 10.2 Splunk Web 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Web 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Web 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 Splunk Web 9.3.0 to 9.3.12 9.3.13 Splunk Cloud Platform 10.3.2512 Splunk Web Below 10.3.2512.11 10.3.2512.11 Splunk Cloud Platform 10.2.2510 Splunk Web Below 10.2.2510.15 10.2.2510.15 Splunk Cloud Platform 10.1.2507 Splunk Web Below 10.1.2507.23 10.1.2507.23 Splunk Cloud Platform 9.3.2411 Splunk Web Below 9.3.2411.132 9.3.2411.132 Mitigations and Workarounds The vulnerability affects instances with Splunk Web turned on, turning off Splunk Web is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning off Splunk Web. Keep dashboard_html_allow_embeddable_content at its default value of false in the web.conf file. Turning this setting on is required for the attack to succeed; keeping the default eliminates the attack surface. See the web.conf configuration specification. Detections None Severity Splunk rates this vulnerability a 7.1, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. Acknowledgments Tony Tong _____________________________________________________________________ Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise Advisory ID: SVD-2026-0607 CVE ID: CVE-2026-20257 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 5.7, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CWE: CWE-20 Bug ID: VULN-62655 Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will. See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Web Not affected 10.4.0 Splunk Enterprise 10.2 Splunk Web 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Web 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Web 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 Splunk Web 9.3.0 to 9.3.12 9.3.13 Splunk Cloud Platform 10.3.2512 Splunk Web Below 10.3.2512.13 10.3.2512.13 Splunk Cloud Platform 10.2.2510 Splunk Web Below 10.2.2510.15 10.2.2510.15 Splunk Cloud Platform 10.1.2507 Splunk Web Below 10.1.2507.23 10.1.2507.23 Splunk Cloud Platform 9.3.2411 Splunk Web Below 9.3.2411.132 9.3.2411.132 Mitigations and Workarounds Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation. Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation. Detections None Severity Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. Acknowledgments Tony Tong (tongster) _____________________________________________________________________ Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise Advisory ID: SVD-2026-0606 CVE ID: CVE-2026-20256 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 5.7, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CWE: CWE-20 Bug ID: VULN-62655 Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link. The vulnerability exists because the URL classifier in classic dashboards only recognizes http:// and https:// schemes when checking for external URLs. Protocol-relative URLs such as //attacker.com bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim. See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Web Not affected 10.4.0 Splunk Enterprise 10.2 Splunk Web 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Web 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Web 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 Splunk Web 9.3.0 to 9.3.12 9.3.13 Splunk Cloud Platform 10.3.2512 Splunk Web Below 10.3.2512.13 10.3.2512.13 Splunk Cloud Platform 10.2.2510 Splunk Web Below 10.2.2510.15 10.2.2510.15 Splunk Cloud Platform 10.1.2507 Splunk Web Below 10.1.2507.23 10.1.2507.23 Splunk Cloud Platform 9.3.2411 Splunk Web Below 9.3.2411.132 9.3.2411.132 Mitigations and Workarounds Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation. Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation. Detections None Severity Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. Acknowledgments Tony Tong (tongster) _____________________________________________________________________ Improper Input Validation through Classic Dashboards in Splunk Enterprise Advisory ID: SVD-2026-0605 CVE ID: CVE-2026-20255 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 5.7, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CWE: CWE-20 Bug ID: VULN-62655 Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard. See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation for more information. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Web Not affected 10.4.0 Splunk Enterprise 10.2 Splunk Web 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Web 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Web 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 Splunk Web 9.3.0 to 9.3.12 9.3.13 Splunk Cloud Platform 10.3.2512 Splunk Web Below 10.3.2512.13 10.3.2512.13 Splunk Cloud Platform 10.2.2510 Splunk Web Below 10.2.2510.15 10.2.2510.15 Splunk Cloud Platform 10.1.2507 Splunk Web Below 10.1.2507.23 10.1.2507.23 Splunk Cloud Platform 9.3.2411 Splunk Web Below 9.3.2411.132 9.3.2411.132 Mitigations and Workarounds Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation. Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation. Detections None Severity Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. Acknowledgments Tony Tong (tongster) _____________________________________________________________________ Information Disclosure through External Content Restriction Bypass in Splunk Enterprise Advisory ID: SVD-2026-0604 CVE ID: CVE-2026-20254 Published: 2026-06-10 Last Update: 2026-06-10 CVSSv3.1 Score: 5.7, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CWE: CWE-20 Bug ID: VULN-62655 Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection. The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard. See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation for more information. Solution Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Product Base Version Component Affected Version Fix Version Splunk Enterprise 10.4 Splunk Web Not affected 10.4.0 Splunk Enterprise 10.2 Splunk Web 10.2.0 to 10.2.3 10.2.4 Splunk Enterprise 10.0 Splunk Web 10.0.0 to 10.0.6 10.0.7 Splunk Enterprise 9.4 Splunk Web 9.4.0 to 9.4.11 9.4.12 Splunk Enterprise 9.3 Splunk Web 9.3.0 to 9.3.12 9.3.13 Splunk Cloud Platform 10.3.2512 Splunk Web Below 10.3.2512.13 10.3.2512.13 Splunk Cloud Platform 10.2.2510 Splunk Web Below 10.2.2510.15 10.2.2510.15 Splunk Cloud Platform 10.1.2507 Splunk Web Below 10.1.2507.23 10.1.2507.23 Splunk Cloud Platform 9.3.2411 Splunk Web Below 9.3.2411.132 9.3.2411.132 Mitigations and Workarounds Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation. Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation. Detections None Severity Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. Acknowledgments Fredrik Alexandersson (stok) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================