Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it.

The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List.

The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Published: 2026-06-10
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Splunk Enterprise and Splunk Cloud Platform, versions before 10.2.4, 10.0.7, 9.4.12, and 9.3.13 (Enterprise) and before 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132 (Cloud) allow a low‑privileged user to craft a classic dashboard that contains unvalidated CSS style attributes. When a higher‑privileged user opens the dashboard, the browser can send requests to external domains not included in the Trusted Domains List, enabling the attacker to capture sensitive information from the victim’s browser. The flaw is a classic input validation issue (CWE‑20).

Affected Systems

Splunk Enterprise versions earlier than 10.2.4, 10.0.7, 9.4.12, or 9.3.13, and Splunk Cloud Platform versions earlier than 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132 are affected.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. No EPSS score is reported, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a low‑privileged account and a social‑engineering step to make a higher‑privileged user view the malicious dashboard; it cannot be leveraged automatically by the low‑privileged user alone. Therefore, while the potential for data leakage exists, effective exploitation hinges on user interaction and therefore the overall risk is constrained.

Generated by OpenCVE AI on June 10, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to the latest patched release that is at least 10.2.4 for the 10.x branch, 10.0.7 for the 10.0 branch, 9.4.12 for the 9.4 branch, or 9.3.13 for the 9.3 branch; apply the same update for any relevant custom builds.
  • Upgrade Splunk Cloud Platform to the latest patch that is at least 10.3.2512.13 for the 10.3 branch, 10.2.2510.15 for the 10.2 branch, 10.1.2507.23 for the 10.1 branch, or 9.3.2411.132 for the 9.3 branch.
  • Review the Trusted Domains List configuration to ensure that no external domains are inadvertently allowed for CSS requests, and consider restricting low‑privileged users from creating or viewing classic dashboards that can inject CSS as an additional defensive measure.

Generated by OpenCVE AI on June 10, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Title Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-10T18:24:02.482Z

Reserved: 2025-10-08T11:59:15.401Z

Link: CVE-2026-20257

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-10T18:16:41.257

Modified: 2026-06-10T18:36:19.463

Link: CVE-2026-20257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:30:37Z

Weaknesses