Executive Summary

CVE-2026-20258 is a Stored Cross-Site Scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform. It allows a low-privileged user, who does not have admin or power roles, to inject malicious JavaScript code into a classic dashboard HTML panel. This malicious script then executes in the browser of another user when they interact with the affected dashboard.

The attack requires social engineering, meaning the attacker must trick the victim into initiating a request in their browser for the malicious code to run. The vulnerability affects specific versions of Splunk Enterprise and Splunk Cloud Platform below certain version thresholds.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized JavaScript code execution in another user's browser, potentially leading to unauthorized access or disclosure of sensitive information.

Such unauthorized access and potential data compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding confidentiality and integrity of personal and sensitive data.

However, exploitation requires social engineering and user interaction, and mitigations such as upgrading to patched versions or disabling Splunk Web can prevent the vulnerability from being exploited.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized execution of malicious JavaScript code in the browsers of users who view the affected dashboards. This can compromise the confidentiality, integrity, and availability of data accessible through the Splunk dashboards.

• An attacker could steal sensitive information from users' sessions.
• The attacker might manipulate or corrupt data displayed in the dashboards.
• It could lead to further attacks on users or the system by exploiting the executed script.

However, exploitation requires user interaction and social engineering, so it is not possible for an attacker to exploit this vulnerability without tricking a user.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Splunk Enterprise or Splunk Cloud Platform versions are below the fixed versions listed for CVE-2026-20258. Additionally, checking for the presence of malicious scripts in classic dashboard HTML panels can indicate exploitation attempts.

You can verify the installed Splunk version by running the following command on your Splunk server:

• splunk version

To detect potentially malicious scripts embedded in dashboards, you may need to review the dashboard XML or HTML content stored in Splunk. This can be done by exporting or inspecting dashboards via the Splunk Web interface or using the Splunk REST API.

For example, to list dashboards and inspect their content, you can use the Splunk REST API with a command like:

• curl -k -u <username>:<password> https://<splunk-server>:8089/servicesNS/-/-/data/ui/views?output_mode=json

Then review the dashboard definitions for any suspicious embedded JavaScript in HTML panels.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps for CVE-2026-20258 include upgrading your Splunk Enterprise or Splunk Cloud Platform to the fixed versions listed in the advisory.

• Upgrade Splunk Enterprise to version 10.2.4 or later, or to at least 10.0.7, 9.4.12, or 9.3.13 as applicable.
• Upgrade Splunk Cloud Platform to version 10.3.2512.11 or later, or to at least 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132 as applicable.

If immediate upgrade is not possible, you can mitigate the risk by disabling Splunk Web or ensuring the default setting for dashboard_html_allow_embeddable_content in the web.conf file remains unchanged, which prevents exploitation.

Useful 0 Not Useful 0