HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-20258Published Modified CNA cisco

CVE-2026-20258: Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
9.3.13
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in the Classic Dashboard HTML panel feature of Splunk Enterprise and Splunk Cloud Platform allows a low-privileged authenticated attacker to inject malicious JavaScript into a dashboard, delivered over the network. The attacker must trick a victim user into initiating a browser request that triggers the stored script, requiring a phishing step. Successful exploitation gives the attacker full read, write, and availability impact within the victim's browser session. Patched-image rebuilds at versions 9.3.13, 9.3.2411.132, 9.4.12, 10.0.7, and 10.1.2507.23 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-20258 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of feed ingestion, including custom-built images that bundle Splunk Enterprise or Splunk Cloud Platform components.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.1 (HIGH) against each affected image, weighting findings against per-environment compliance policies, and routing alerts to the appropriate team inbox within each customer organization.

Available
Patch

A patched-image rebuild at the applicable fix version (9.3.13, 9.3.2411.132, 9.4.12, 10.0.7, or 10.1.2507.23) becomes available on HarborGuard once the upstream base image is updated. For customers who opt into auto-remediation, HarborGuard is capable of triggering the rebuild, running a regression test suite, and opening a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Splunk web interface over the network to inject the malicious script into the dashboard HTML panel.

  • AuthenticationRequired

    Any low-privilege Splunk account is sufficient; the attacker does not need admin or power role credentials.

  • Victim interactionRequired

    The attacker must phish the victim, tricking them into initiating a browser request that executes the stored script; exploitation cannot be triggered at will.

  • Attack complexityDetail

    Attack complexity is high, reflecting that the attacker must coordinate a social-engineering step and cannot reliably trigger execution without victim cooperation.

Blast Radius

  • Reads session tokens, credentials, or sensitive search data visible within the victim's authenticated Splunk browser session.
  • Modifies dashboard content or Splunk configurations by issuing requests as the victim user.
  • Performs actions inside Splunk on behalf of the victim, potentially exfiltrating search results or altering saved searches.
  • Disrupts the victim's Splunk session or browser state, degrading their ability to use the platform.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a customer registry or pipeline that bundles an affected Splunk version. The CVE is scored at CVSS 7.1 (HIGH), and triage routing follows each customer's configured compliance policy. Where compliance policy permits, patched-image rebuilds at the relevant fix versions are available, and customers with auto-remediation enabled can expect a rebuilt image, regression-test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Until an upgrade is applied, compensating controls worth considering include restricting Classic Dashboard HTML panel write permissions to trusted roles via Splunk's capabilities configuration, applying network-policy isolation to limit which users can reach the Splunk web interface, and enabling strict Content Security Policy headers if the deployment supports them.

See how HarborGuard automates this

Fix available

9.3.139.3.2411.1329.4.1210.0.710.1.2507.2310.2.410.2.2510.1510.3.2512.11
Affected packages
  • Splunk / Splunk Enterprise
    < 10.2.4 (from 10.2) · < 10.0.7 (from 10.0) · < 9.4.12 (from 9.4) · < 9.3.13 (from 9.3)
  • Splunk / Splunk Cloud Platform
    < 10.3.2512.11 (from 10.3.2512) · < 10.2.2510.15 (from 10.2.2510) · < 10.1.2507.23 (from 10.1.2507) · < 9.3.2411.132 (from 9.3.2411)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
References