Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise
Advisory ID: SVD-2026-0608
CVE ID: CVE-2026-20258
Published: 2026-06-10
Last Update: 2026-06-10
CVSSv3.1 Score: 7.1, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Bug ID: VULN-66945
Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
For information about role capabilities, see Define roles on the Splunk platform with capabilities.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | Splunk Web | Not affected | N/A |
| Splunk Enterprise | 10.2 | Splunk Web | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.11 | 9.4.12 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.12 | 9.3.13 |
| Splunk Cloud Platform | 10.3.2512 | Splunk Web | Below 10.3.2512.11 | 10.3.2512.11 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Web | Below 10.2.2510.15 | 10.2.2510.15 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.23 | 10.1.2507.23 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.132 | 9.3.2411.132 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on, turning off Splunk Web is a possible workaround.
See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning off Splunk Web.
Keep dashboard_html_allow_embeddable_content at its default value of false in the web.conf file. Turning this setting on is required for the attack to succeed; keeping the default eliminates the attack surface. See the web.conf configuration specification.
Detections
None
Severity
Splunk rates this vulnerability a 7.1, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H.
Acknowledgments
Tony Tong