Third-Party Package Updates in Splunk Enterprise - July 2026

Advisory ID: SVD-2026-0705

CVE ID:  Multiple

Published: 2026-07-15

Last Update: 2026-07-15

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, and higher.

PackageRemediationCVESeverity
github.com/golang/go1Upgraded the Go compiler to version 1.25.10MultipleHigh
github.com/golang-jwt/jwt/v52Upgraded golang-jwt in `edge` binary to version 5.2.2CVE-2025-30204High
github.com/golang/go3Upgraded golang in `edge` binary to version 1.25.10MultipleCritical
github.com/buger/jsonparser4Upgraded buger/jsonparser in `edge` binary to version 1.1.2CVE-2026-32285High
github.com/antchfx/xpath5Upgraded antchfx/xpath in `edge` binary to version 1.3.6CVE-2026-32287High
github.com/golang/go6Upgraded golang in `search service / cmp orchestrator` to versions 1.25.10 and 1.26.3MultipleCritical
github.com/go-jose/go-jose/v47Upgraded go-jose in `search service / cmp orchestrator` to version 4.1.4CVE-2026-34986High
go.opentelemetry.io/otel/sdk8Upgraded opentelemetry in `search service / cmp orchestrator` to version 1.43.0MultipleHigh
go.opentelemetry.io/otel9Upgraded opentelemetry/otel in `search service / cmp orchestrator` to version 1.43.0MultipleHigh
github.com/golang/go10Upgraded golang in `etcd` binary to version 1.25.9MultipleCritical
golang.org/x/crypto11Upgraded golang crypto in `etcd` binary to version 0.48.0CVE-2025-47913High
MongoDB12Upgraded MongoDB version 7.0.31 to version 7.0.34 and MongoDB version 8.0.20 to version 8.0.23MultipleHigh

1 Upgraded the Go compiler to version 1.25.10 to remedy CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-39836, and CVE-2026-42501 in Splunk Enterprise versions 10.4.x and 10.2.x at opt/packages/cmp-orchestrator/splunk-cmp-orchestrator.

2 Upgraded golang-jwt in edge binary to version 5.2.2 to remedy CVE-2025-30204 at etc/apps/splunk_pipeline_builders/binaries/edge.

3 Upgraded golang in edge binary to version 1.25.10 to remedy CVE-2025-61726, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283 at splunk/etc/apps/splunk_pipeline_builders/binaries/edge.

4 Upgraded buger/jsonparser in edge binary to version 1.1.2 to remedy CVE-2026-32285 at splunk/etc/apps/splunk_pipeline_builders/binaries/edge.

5 Upgraded antchfx/xpath in edge binary to version 1.3.6 to remedy CVE-2026-32287 at splunk/etc/apps/splunk_pipeline_builders/binaries/edge.

6 Upgraded golang in search service / cmp orchestrator to version 1.25.10 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator in Splunk Enterprise versions 10.2.5, 10.0.8, and 9.4.13, and upgraded golang to version 1.26.3 in Splunk Enterprise version 10.4.1 to remedy CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283.

7 Upgraded go-jose in search service / cmp orchestrator to version 4.1.4 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator to remedy CVE-2026-34986.

8 Upgraded opentelemetry/otel/sdk in search service / cmp orchestrator to version 1.43.0 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator to remedy CVE-2026-24051 and CVE-2026-39883.

9 Upgraded opentelemetry/otel in search service / cmp orchestrator to version 1.43.0 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator to remedy CVE-2026-29181 and CVE-2026-39882.

10 Upgraded golang in etcd binary to version 1.25.9 to remedy CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283 at splunk/bin/etcd in Splunk Enterprise versions 10.4.1 and 10.2.5. The etcd, etcdctl, and etcdutl binaries are not present in Splunk Enterprise versions 10.0.x and 9.4.x.

11 Upgraded golang crypto in etcd binary to version 0.48.0 to remedy CVE-2025-47913 at splunk/bin/etcd in Splunk Enterprise versions 10.4.1 and 10.2.5. The etcd, etcdctl, and etcdutl binaries are not present in Splunk Enterprise versions 10.0.x and 9.4.x.

12 For Splunk Enterprise versions 9.4.13 and 10.0.8 for Linux and Windows, Splunk Enterprise upgraded MongoDB 7.0 from version 7.0.31 to version 7.0.34 at $SPLUNK_HOME/bin/mongod to remediate CVE-2026-8053, CVE-2026-8199, CVE-2026-8201, CVE-2026-8202, CVE-2026-8200, CVE-2026-6914, and CVE-2026-6915.

For Splunk Enterprise version 10.2.5 for Linux, Windows, and macOS, Splunk Enterprise upgraded MongoDB 8.0 from version 8.0.20 to version 8.0.23 and MongoDB 7.0 from version 7.0.31 to version 7.0.34 at $SPLUNK_HOME/bin/mongod to remediate CVE-2026-8053, CVE-2026-8199, CVE-2026-8201, CVE-2026-8202, CVE-2026-8200, CVE-2026-6914, and CVE-2026-6915.

For Splunk Enterprise version 10.4.1 for Linux, Windows, and macOS, Splunk Enterprise upgraded MongoDB 7.0 from version 7.0.31 to version 7.0.34 and MongoDB 8.0 from version 8.0.20 to version 8.0.23 at $SPLUNK_HOME/bin/mongod to remediate CVE-2026-8053, CVE-2026-8199, CVE-2026-8201, CVE-2026-8202, CVE-2026-8200, CVE-2026-6914, and CVE-2026-6915.

Solution

Upgrade Splunk Enterprise to versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, or higher.

Product Status

ProductBase VersionAffected VersionFix Version
Splunk Enterprise10.4Below 10.4.110.4.1
Splunk Enterprise10.210.2.0 to 10.2.410.2.5
Splunk Enterprise10.010.0.0 to 10.0.710.0.8
Splunk Enterprise9.49.4.0 to 9.4.129.4.13

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.