CVE-2026-20258

Vulnerability

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user without 'admin' or 'power' roles can store a malicious script in a classic dashboard HTML panel. This can lead to unauthorized JavaScript code execution in another user's browser [1].

Exploitation

Exploitation requires the attacker to phish a victim, tricking them into initiating a request within their browser. A low-privileged user cannot exploit this vulnerability without user interaction [1].

Impact

An attacker can cause unauthorized JavaScript code to execute in the browser of another user. The scope and privilege level of the compromise depend on the victim's session and permissions within Splunk [1].

Mitigation

Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively patching Splunk Cloud Platform instances. A workaround is to turn off Splunk Web or ensure dashboard_html_allow_embeddable_content in web.conf remains at its default value of false [1].