Description
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user.

The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Published: 2026-03-11
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

A low‑privileged Splunk user can create an interface view that contains a malicious JavaScript payload when accessing the /manager/launcher/data/ui/views/_new endpoint. The payload is stored and later rendered in other users’ browsers, allowing the attacker to execute unauthorized JavaScript in the victim’s browser session. The weakness is a classic stored XSS, identified as CWE‑79, and can compromise confidentiality, integrity or availability of the affected system if the executed script performs malicious actions such as credential theft or further propagation.

Affected Systems

Splunk Cloud Platform and Splunk Enterprise are affected. Versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9 for Enterprise; and below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123 for Cloud Platform are vulnerable.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a phishing‑style vector where the victim’s browser initiates the request; an authenticated, non‑admin user must create the view, so the attack cannot be performed freely by an unauthenticated attacker.

Generated by OpenCVE AI on April 16, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.0 or later and Splunk Cloud Platform to version 10.2.2510.4 or later, which include the patch that removes the stored XSS path traversal flaw.
  • If an upgrade is not immediately possible, limit the creation of UI Views to users with admin or power roles, thereby preventing low‑privileged users from injecting malicious payloads.
  • Implement user training to recognize phishing attempts that deliver malicious scripts and consider a web‑filtering solution that blocks suspicious JavaScript content from being rendered in the Splunk UI.

Generated by OpenCVE AI on April 16, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Splunk splunk
CPEs cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*
Vendors & Products Splunk splunk

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
Title Stored Cross-Site Scripting (XSS) through Path Traversal in Splunk Enterprise
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Splunk Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-12T16:19:25.151Z

Reserved: 2025-10-08T11:59:15.388Z

Link: CVE-2026-20162

cve-icon Vulnrichment

Updated: 2026-03-12T15:39:46.401Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:56.420

Modified: 2026-03-23T14:20:36.137

Link: CVE-2026-20162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses