Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
Published: 2026-06-10
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A low‑privileged user who is not an admin or power role can create a malicious classic dashboard that contains a CSS injection. When a higher‑privileged administrator views the dashboard, the injected CSS triggers an outbound request to an external server, allowing credentials or other sensitive information to be exfiltrated. The flaw is due to inadequate validation of inline style attributes, a weakness identified as CWE‑20, and results in unauthorized information disclosure rather than code execution.

Affected Systems

The vulnerability affects Splunk Enterprise releases prior to 10.2.4, 10.0.7, 9.4.12, and 9.3.13, as well as Splunk Cloud Platform releases prior to 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132. Users of the Splunk Cloud Platform and Splunk Enterprise environments should verify their version numbers against these thresholds.

Risk and Exploitability

The CVSS score of 5.7 indicates medium severity. Because the EPSS score is unavailable, the historical likelihood of exploitation is unclear, and the vulnerability is not listed in the CISA KEV catalog, the current risk exposure depends largely on whether a controller with higher privileges is likely to view dashboards created by low‑privileged users. The attack vector is inferred to require a crafted dashboard that a privileged user subsequently opens, making exploitation easier in environments where dashboard creation is not tightly controlled.

Generated by OpenCVE AI on June 10, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.4 or newer and Splunk Cloud Platform to 10.3.2512.13 or newer to apply the vendor patch that eliminates the CSS injection flaw.
  • Restrict dashboard design and edit permissions so that only admin or power roles may create or modify dashboards, thereby preventing low‑privileged users from injecting malicious CSS.
  • Configure trusted domain settings to reject inline style attributes that reference external URLs, ensuring that such content is sanitized or blocked before rendering.

Generated by OpenCVE AI on June 10, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
Title Information Disclosure through External Content Restriction Bypass in Splunk Enterprise
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-10T18:27:01.123Z

Reserved: 2025-10-08T11:59:15.401Z

Link: CVE-2026-20254

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-10T18:16:40.887

Modified: 2026-06-10T18:36:19.463

Link: CVE-2026-20254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:30:37Z

Weaknesses