Third-Party Package Updates in Splunk Enterprise - July 2026
Advisory ID: SVD-2026-0705
CVE ID: Multiple
Published: 2026-07-15
Last Update: 2026-07-15
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, and higher.
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| github.com/golang/go1 | Upgraded the Go compiler to version 1.25.10 | Multiple | High |
| github.com/golang-jwt/jwt/v52 | Upgraded golang-jwt in `edge` binary to version 5.2.2 | CVE-2025-30204 | High |
| github.com/golang/go3 | Upgraded golang in `edge` binary to version 1.25.10 | Multiple | Critical |
| github.com/buger/jsonparser4 | Upgraded buger/jsonparser in `edge` binary to version 1.1.2 | CVE-2026-32285 | High |
| github.com/antchfx/xpath5 | Upgraded antchfx/xpath in `edge` binary to version 1.3.6 | CVE-2026-32287 | High |
| github.com/golang/go6 | Upgraded golang in `search service / cmp orchestrator` to versions 1.25.10 and 1.26.3 | Multiple | Critical |
| github.com/go-jose/go-jose/v47 | Upgraded go-jose in `search service / cmp orchestrator` to version 4.1.4 | CVE-2026-34986 | High |
| go.opentelemetry.io/otel/sdk8 | Upgraded opentelemetry in `search service / cmp orchestrator` to version 1.43.0 | Multiple | High |
| go.opentelemetry.io/otel9 | Upgraded opentelemetry/otel in `search service / cmp orchestrator` to version 1.43.0 | Multiple | High |
| github.com/golang/go10 | Upgraded golang in `etcd` binary to version 1.25.9 | Multiple | Critical |
| golang.org/x/crypto11 | Upgraded golang crypto in `etcd` binary to version 0.48.0 | CVE-2025-47913 | High |
| MongoDB12 | Upgraded MongoDB version 7.0.31 to version 7.0.34 and MongoDB version 8.0.20 to version 8.0.23 | Multiple | High |
1 Upgraded the Go compiler to version 1.25.10 to remedy CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32283, CVE-2026-39836, and CVE-2026-42501 in Splunk Enterprise versions 10.4.x and 10.2.x at opt/packages/cmp-orchestrator/splunk-cmp-orchestrator.
2 Upgraded golang-jwt in edge binary to version 5.2.2 to remedy CVE-2025-30204 at etc/apps/splunk_pipeline_builders/binaries/edge.
3 Upgraded golang in edge binary to version 1.25.10 to remedy CVE-2025-61726, CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283 at splunk/etc/apps/splunk_pipeline_builders/binaries/edge.
4 Upgraded buger/jsonparser in edge binary to version 1.1.2 to remedy CVE-2026-32285 at splunk/etc/apps/splunk_pipeline_builders/binaries/edge.
5 Upgraded antchfx/xpath in edge binary to version 1.3.6 to remedy CVE-2026-32287 at splunk/etc/apps/splunk_pipeline_builders/binaries/edge.
6 Upgraded golang in search service / cmp orchestrator to version 1.25.10 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator in Splunk Enterprise versions 10.2.5, 10.0.8, and 9.4.13, and upgraded golang to version 1.26.3 in Splunk Enterprise version 10.4.1 to remedy CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283.
7 Upgraded go-jose in search service / cmp orchestrator to version 4.1.4 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator to remedy CVE-2026-34986.
8 Upgraded opentelemetry/otel/sdk in search service / cmp orchestrator to version 1.43.0 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator to remedy CVE-2026-24051 and CVE-2026-39883.
9 Upgraded opentelemetry/otel in search service / cmp orchestrator to version 1.43.0 at opt/packages/cmp-orchestrator-1.264.20+ffeeb6e2-20260325t121916.tar.gz/splunk-cmp-orchestrator to remedy CVE-2026-29181 and CVE-2026-39882.
10 Upgraded golang in etcd binary to version 1.25.9 to remedy CVE-2026-27140, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, and CVE-2026-32283 at splunk/bin/etcd in Splunk Enterprise versions 10.4.1 and 10.2.5. The etcd, etcdctl, and etcdutl binaries are not present in Splunk Enterprise versions 10.0.x and 9.4.x.
11 Upgraded golang crypto in etcd binary to version 0.48.0 to remedy CVE-2025-47913 at splunk/bin/etcd in Splunk Enterprise versions 10.4.1 and 10.2.5. The etcd, etcdctl, and etcdutl binaries are not present in Splunk Enterprise versions 10.0.x and 9.4.x.
12 For Splunk Enterprise versions 9.4.13 and 10.0.8 for Linux and Windows, Splunk Enterprise upgraded MongoDB 7.0 from version 7.0.31 to version 7.0.34 at $SPLUNK_HOME/bin/mongod to remediate CVE-2026-8053, CVE-2026-8199, CVE-2026-8201, CVE-2026-8202, CVE-2026-8200, CVE-2026-6914, and CVE-2026-6915.
For Splunk Enterprise version 10.2.5 for Linux, Windows, and macOS, Splunk Enterprise upgraded MongoDB 8.0 from version 8.0.20 to version 8.0.23 and MongoDB 7.0 from version 7.0.31 to version 7.0.34 at $SPLUNK_HOME/bin/mongod to remediate CVE-2026-8053, CVE-2026-8199, CVE-2026-8201, CVE-2026-8202, CVE-2026-8200, CVE-2026-6914, and CVE-2026-6915.
For Splunk Enterprise version 10.4.1 for Linux, Windows, and macOS, Splunk Enterprise upgraded MongoDB 7.0 from version 7.0.31 to version 7.0.34 and MongoDB 8.0 from version 8.0.20 to version 8.0.23 at $SPLUNK_HOME/bin/mongod to remediate CVE-2026-8053, CVE-2026-8199, CVE-2026-8201, CVE-2026-8202, CVE-2026-8200, CVE-2026-6914, and CVE-2026-6915.
Solution
Upgrade Splunk Enterprise to versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 10.4 | Below 10.4.1 | 10.4.1 |
| Splunk Enterprise | 10.2 | 10.2.0 to 10.2.4 | 10.2.5 |
| Splunk Enterprise | 10.0 | 10.0.0 to 10.0.7 | 10.0.8 |
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.12 | 9.4.13 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.