CVE-2026-20162

MEDIUM 6.3

Stored Cross-Site Scripting (XSS) through Path Traversal in Splunk Enterprise

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CWE	CWE-79
Vendor	splunk
Product	splunk enterprise
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for splunk splunk enterprise

Be the first to know when new medium vulnerabilities affecting splunk splunk enterprise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Splunk / Splunk Enterprise

10.0 < 10.0.3 9.4 < 9.4.9 9.3 < 9.3.9

Splunk / Splunk Cloud Platform

10.2.2510 < 10.2.2510.4 10.1.2507 < 10.1.2507.15 10.0.2503 < 10.0.2503.11 9.3.2411 < 9.3.2411.123

References

NVD ↗ CVE.org ↗ EPSS Data ↗

advisory.splunk.com: https://advisory.splunk.com/advisories/SVD-2026-0301

Credits

Danylo Dmytriiev (DDV_UA)