Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing

Advisory ID: SVD-2023-1104

CVE ID: CVE-2023-46214

Published: 2023-11-16

Last Update: 2023-12-12

CVSSv3.1 Score: 8.0, High


Bug ID: SPL-241695


In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.


Upgrade Splunk Enterprise to either 9.0.7 or 9.1.2.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.0Splunk Web9.0.0 to
Splunk Enterprise9.1Splunk Web9.1.0 to
Splunk Cloud-Splunk WebVersions below 9.1.23089.1.2308

Mitigations and Workarounds

If you cannot upgrade, limit the ability of search job requests to accept XML stylesheet language (XSL) as valid input.

Edit the web.conf configuration file and add the following configuration on instances where you want to limit the ability of search job requests to accept XSL:

enableSearchJobXslt = false

For more information on modifying the web.conf configuration file, see How to edit a configuration file and the web.conf configuration specification. For earlier Splunk Enterprise versions, review the web.conf specification for availability of the enableSearchJobXslt setting.



Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H.


Alex Hordijk


  • 2023-12-12: Added credit

  • 2023-11-22: Added Splunk RCE via User XSLT detection

  • 2023-11-21: Updated Mitigations

  • 2023-11-20: Added relevant detection link