CVE-2026-20254
published 2026-06-10CVE-2026-20254: In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and…
PriorityP333medium5.7CVSS 3.1
AVNACLPRLUIRSUCHINAN
EPSS
0.25%
15.8th percentile
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 10.0.0 < 10.0.7 | 10.0.7 |
| splunk | splunk | >= 10.2.0 < 10.2.4 | 10.2.4 |
| splunk | splunk | >= 9.3.0 < 9.3.13 | 9.3.13 |
| splunk | splunk | >= 9.4.0 < 9.4.12 | 9.4.12 |
| splunk | splunk_cloud_platform | >= 10.1.2507 < 10.1.2507.23 | 10.1.2507.23 |
| splunk | splunk_cloud_platform | >= 10.2.2510 < 10.2.2510.15 | 10.2.2510.15 |
| splunk | splunk_cloud_platform | >= 10.3.2512 < 10.3.2512.13 | 10.3.2512.13 |
| splunk | splunk_cloud_platform | >= 9.3.2411 < 9.3.2411.132 | 9.3.2411.132 |
| splunk | splunk_enterprise | >= 10.0 < 10.0.7 | 10.0.7 |
| splunk | splunk_enterprise | >= 10.2 < 10.2.4 | 10.2.4 |
| splunk | splunk_enterprise | >= 9.3 < 9.3.13 | 9.3.13 |
| splunk | splunk_enterprise | >= 9.4 < 9.4.12 | 9.4.12 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Splunk Enterprise/Cloud Platform CSS injection (SVD-2026-0604)
vuldb·2026-06-10·CVSS 5.7
CVE-2026-20254 [MEDIUM] Splunk Enterprise/Cloud Platform CSS injection (SVD-2026-0604)
A vulnerability was found in Splunk Enterprise and Cloud Platform and classified as critical. This issue affects some unknown processing of the component CSS Handler. Such manipulation leads to injection.
This vulnerability is referenced as CVE-2026-20254. It is possible to launch the attack remotely. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that
ghsa_unreviewed·2026-06-10
CVE-2026-20254 [MEDIUM] CWE-20 In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published