Splunk vulnerabilities

187 known vulnerabilities affecting splunk/splunk.

Total CVEs

187

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL8HIGH53MEDIUM116LOW10

Vulnerabilities

Page 1 of 10

CVE-2026-20163HIGHCVSS 7.2≥ 9.3.0, < 9.3.10≥ 9.4.0, < 9.4.9+1 more2026-03-11

CVE-2026-20163 [HIGH] CWE-77 CVE-2026-20163: In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform ver In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/in

nvd

CVE-2026-20162MEDIUMCVSS 6.3≥ 9.3.0, < 9.3.9≥ 9.4.0, < 9.4.9+1 more2026-03-11

CVE-2026-20162 [MEDIUM] CWE-79 CVE-2026-20162: In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform vers In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/

nvd

CVE-2026-20165MEDIUMCVSS 6.5≥ 9.3.0, < 9.3.10≥ 9.4.0, < 9.4.9+2 more2026-03-11

CVE-2026-20165 [MEDIUM] CWE-532 CVE-2026-20165: In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform ver In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control

nvd

CVE-2026-20164MEDIUMCVSS 6.5≥ 9.3.0, < 9.3.10≥ 9.4.0, < 9.4.9+1 more2026-03-11

CVE-2026-20164 [MEDIUM] CWE-200 CVE-2026-20164: In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform ver In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which expose

nvd

CVE-2026-20166MEDIUMCVSS 5.4≥ 10.0.0, < 10.0.4v10.2.02026-03-11

CVE-2026-20166 [MEDIUM] CWE-200 CVE-2026-20166: In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2 In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access co

nvd

CVE-2026-20141MEDIUMCVSS 6.5≥ 9.3.0, < 9.3.9≥ 9.4.0, < 9.4.8+1 more2026-02-18

CVE-2026-20141 [MEDIUM] CWE-200 CVE-2026-20141: In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.The Monitoring Console app is a bundled app that comes with Splunk Ente

nvd

CVE-2026-20144MEDIUMCVSS 4.9≥ 9.2.0, < 9.2.11≥ 9.3.0, < 9.3.8+2 more2026-02-18

CVE-2026-20144 [MEDIUM] CWE-532 CVE-2026-20144: In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platf In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML

nvd

CVE-2026-20139MEDIUMCVSS 4.3≥ 9.2.0, < 9.2.12≥ 9.3.0, < 9.3.9+2 more2026-02-18

CVE-2026-20139 [MEDIUM] CWE-400 CVE-2026-20139: In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platf In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/

nvd

CVE-2026-20142MEDIUMCVSS 4.9≥ 9.2.0, < 9.2.11≥ 9.3.0, < 9.3.9+2 more2026-02-18

CVE-2026-20142 [MEDIUM] CWE-532 CVE-2026-20142: In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Sea In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [Authentication.conf ](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration

nvd

CVE-2026-20137MEDIUMCVSS 5.7≥ 9.2.0, < 9.2.9≥ 9.3.0, < 9.3.7+2 more2026-02-18

CVE-2026-20137 [LOW] CWE-200 CVE-2026-20137: In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platfo In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an inje

nvd

CVE-2026-20138MEDIUMCVSS 4.9≥ 9.2.0, < 9.2.11≥ 9.3.0, < 9.3.9+2 more2026-02-18

CVE-2026-20138 [MEDIUM] CWE-532 CVE-2026-20138: In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Sea In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor Authentication for Splunk Enterprise](https://duo.com

nvd

CVE-2025-20386MEDIUMCVSS 6.5≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20386 [HIGH] CWE-732 CVE-2025-20386: In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents.

nvd

CVE-2025-20382MEDIUMCVSS 5.4≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20382 [LOW] CWE-601 CVE-2025-20382: In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform vers In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially

nvd

CVE-2025-20383MEDIUMCVSS 4.3≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20383 [MEDIUM] CWE-200 CVE-2025-20383: In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description o

nvd

CVE-2025-20385MEDIUMCVSS 4.8≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20385 [LOW] CWE-79 CVE-2025-20385: In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform vers In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, whic

nvd

CVE-2025-20387MEDIUMCVSS 6.5≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20387 [HIGH] CWE-732 CVE-2025-20387: In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new ins In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents.

nvd

CVE-2025-20389MEDIUMCVSS 6.5≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20389 [MEDIUM] CWE-20 CVE-2025-20389: In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8 In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Spl

nvd

CVE-2025-20384MEDIUMCVSS 5.3≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20384 [MEDIUM] CWE-117 CVE-2025-20384: In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform vers In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may a

nvd

CVE-2025-20388LOWCVSS 2.7≥ 9.2.0, < 9.2.10≥ 9.3.0, < 9.3.8+2 more2025-12-03

CVE-2025-20388 [LOW] CWE-918 CVE-2025-20388: In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform vers In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search hea

nvd

CVE-2025-20378MEDIUMCVSS 6.1≥ 9.2.0, < 9.2.9≥ 9.3.0, < 9.3.7+2 more2025-11-12

CVE-2025-20378 [LOW] CWE-601 CVE-2025-20378: In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated

nvd

1 / 10Next →