Splunk Enterprise XXE via dashboard tab label (pre 9.4.4, 9.3.6, 9.2.8)
CVE-2025-20369 Published on October 1, 2025
Extensible Markup Language (XML) External Entity Injection (XXE) through Dashboard label field on Splunk Enterprise
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks.
Weakness Type
What is a XEE Vulnerability?
The software uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
CVE-2025-20369 has been classified to as a XEE vulnerability or weakness.
Products Associated with CVE-2025-20369
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 10.0 and below 10.0.0 is affected.
- Version 9.4 and below 9.4.4 is affected.
- Version 9.3 and below 9.3.6 is affected.
- Version 9.2 and below 9.2.8 is affected.
- Version 9.3.2411 and below 9.3.2411.108 is affected.
- Version 9.3.2408 and below 9.3.2408.118 is affected.
- Version 9.2.2406 and below 9.2.2406.123 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.