Splunk Enterprise <=10.2.4 RCE via unsanitized HTML panel (CVE-2026-20258)
CVE-2026-20258 Published on June 10, 2026
Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-20258 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-20258
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 10.2 and below 10.2.4 is affected.
- Version 10.0 and below 10.0.7 is affected.
- Version 9.4 and below 9.4.12 is affected.
- Version 9.3 and below 9.3.13 is affected.
- Version 10.3.2512 and below 10.3.2512.11 is affected.
- Version 10.2.2510 and below 10.2.2510.15 is affected.
- Version 10.1.2507 and below 10.1.2507.23 is affected.
- Version 9.3.2411 and below 9.3.2411.132 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.