CVE-2026-20162
Received Received - Intake
Stored XSS via Path Traversal in Splunk Enterprise Views

Publication date: 2026-03-11

Last updated on: 2026-03-23

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20162
EUVD
EUVD-2026-11226
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.3 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.9 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.9 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.123 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.11 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.15 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20162 is a Stored Cross-Site Scripting (XSS) vulnerability found in certain versions of Splunk Enterprise and Splunk Cloud Platform. It occurs at the REST API endpoint /manager/launcher/data/ui/views/_new, where a low-privileged user without admin or power roles can create a malicious payload when creating a View. This payload exploits a path traversal vulnerability, which leads to the storage of malicious JavaScript code that executes in the browser of another user.

Exploitation requires the attacker to trick (phish) the victim into initiating a request in their browser. The vulnerability cannot be exploited arbitrarily by an authenticated user without user interaction.

Impact Analysis

This vulnerability can lead to unauthorized execution of JavaScript code in the browser of a user, potentially allowing attackers to steal sensitive information, hijack user sessions, or perform actions on behalf of the victim within the Splunk environment.

Because the attack requires phishing and user interaction, the risk depends on the ability of an attacker to trick users into initiating malicious requests.

The CVSS score of 6.3 (Medium) reflects a network attack vector with low complexity and low privileges required, but with high confidentiality impact.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands for identifying this vulnerability on your network or system are provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Splunk Enterprise to versions 10.2.0, 10.0.3, 9.4.9, or 9.3.9 or upgrade Splunk Cloud Platform to the corresponding fixed versions.

As a workaround, disabling Splunk Web can prevent exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart