VDB

CVE-2026-20162

CVE-2026-20162 PUBLISHED CVSS 6.300000190734863 MEDIUM

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

EPSS 0.05% · 16.5th percentile

Risk Scores

CVSS v3.1
6.300000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
EPSS Score
0.05%
16.5th percentile

Affected Products

VendorProductVersions
SplunkSplunk Enterprise9.3, 10.0, 9.3
splunksplunk_cloud_platform10.0.2503, 10.2.2510, 10.1.2507
SplunkSplunk Cloud Platform9.3.2411, 10.1.2507, 10.0.2503
splunksplunk10.0.0, 9.4.0, 9.3.0

Timeline

  • Mar 11, 2026 CVE Published
  • Mar 12, 2026 EPSS Score
  • Mar 12, 2026 CVE Updated
  • Mar 13, 2026 EPSS Score
  • Mar 14, 2026 EPSS Score
  • Mar 15, 2026 EPSS Score
  • Mar 16, 2026 EPSS Score
  • Mar 17, 2026 EPSS Score
  • Mar 18, 2026 EPSS Score
  • Mar 19, 2026 EPSS Score
  • Mar 20, 2026 EPSS Score
  • Mar 21, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›