CVE-2026-20204
published 2026-04-15CVE-2026-20204: In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9…
PriorityP349high7.1CVSS 3.1
AVNACHPRLUIRSUCHIHAH
EPSS
3.28%
86.9th percentile
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | — | — |
| splunk | splunk | >= 10.0.0 < 10.0.5 | 10.0.5 |
| splunk | splunk | >= 9.3.0 < 9.3.11 | 9.3.11 |
| splunk | splunk | >= 9.4.0 < 9.4.10 | 9.4.10 |
| splunk | splunk_cloud_platform | >= 10.0.2503 < 10.0.2503.13 | 10.0.2503.13 |
| splunk | splunk_cloud_platform | >= 10.1.2507 < 10.1.2507.19 | 10.1.2507.19 |
| splunk | splunk_cloud_platform | >= 10.2.2510 < 10.2.2510.9 | 10.2.2510.9 |
| splunk | splunk_cloud_platform | >= 10.3.2512 < 10.3.2512.5 | 10.3.2512.5 |
| splunk | splunk_cloud_platform | >= 10.4.2603 < Not Affected | Not Affected |
| splunk | splunk_cloud_platform | >= 9.3.2411 < 9.3.2411.127 | 9.3.2411.127 |
| splunk | splunk_enterprise | >= 10.0 < 10.0.5 | 10.0.5 |
| splunk | splunk_enterprise | >= 10.2 < 10.2.1 | 10.2.1 |
| splunk | splunk_enterprise | >= 9.3 < 9.3.11 | 9.3.11 |
| splunk | splunk_enterprise | >= 9.4 < 9.4.10 | 9.4.10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gj97-4w7h-79j2: In Splunk Enterprise versions below 10
ghsa_unreviewed·2026-04-15
CVE-2026-20204 [HIGH] CWE-377 GHSA-gj97-4w7h-79j2: In Splunk Enterprise versions below 10
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
VulDB
Splunk Enterprise/Cloud Platform File apptemp temp file (SVD-2026-0403)
vuldb·2026-04-15·CVSS 7.1
CVE-2026-20204 [HIGH] Splunk Enterprise/Cloud Platform File apptemp temp file (SVD-2026-0403)
A vulnerability described as critical has been identified in Splunk Enterprise and Cloud Platform. The affected element is an unknown function of the file $SPLUNK_HOME/var/run/splunk/apptemp of the component File Handler. The manipulation results in insecure temporary file.
This vulnerability is identified as CVE-2026-20204. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
Checkpoint
20th April – Threat Intelligence Report
blogs_checkpoint·2026-04-20
CVE-2026-34197 20th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th April, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Booking.com, the Amsterdam-based travel platform, has confirmed a data breach after unauthorized parties accessed reservation data linked to some customers. Exposed information included names, email addresses, phone numbers, physical addresses, and booking details, creating phishing risk, while the company reset reservation PI
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
2026-04-15
Published