ESB-2026.3801 — Vulnetix

ESB-2026.3801 PUBLISHED CVSS 10 CRITICAL

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.3801 SVD-2026-0408: Third-Party Package Updates in Splunk Operator for Kubernetes Add-on - April 2026 16 April 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Splunk Operator for Kubernetes Add-on 3.1 Publisher: Splunk Operating System: Windows Linux Resolution: Patch/Upgrade CVE Names: CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-68121 CVE-2025-32988 CVE-2025-5372 CVE-2025-47913 CVE-2025-6395 CVE-2025-32990 CVE-2025-47914 CVE-2025-58181 CVE-2025-13601 CVE-2025-5318 CVE-2025-0913 CVE-2025-4673 CVE-2025-22874 Original Bulletin: https://advisory.splunk.com//advisories/SVD-2026-0408 Comment: CVSS (Max): 10.0 CVE-2025-68121 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: CISA-ADP, [NIST], Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H EPSS (Max): 0.1% (29th) CVE-2025-5318 2026-04-15 - --------------------------BEGIN INCLUDED TEXT-------------------- Third-Party Package Updates in Splunk Operator for Kubernetes Add-on - April 2026 Advisory ID: SVD-2026-0408 CVE ID: Multiple Published: 2026-04-15 Last Update: 2026-04-15 Description Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Operator for Kubernetes Add-on version 3.1.0, including the following: Package Remediation CVE Severity golang [1] Upgraded golang to version 1.25.7 Multiple Critical golang.org/ Upgraded golang.org/x/crypto to version x/crypto [2 0.47.0] Multiple High Upgraded GnuTLS from version GnuTLS [3] gnutls-3.6.16-8.el8_10.3 to version Multiple High gnutls-3.6.16-8.el8_10.4 Upgraded libssh from version libssh [4] libssh-0.9.6-14.el8 to version Multiple High libssh-0.9.6-16.el8_10 Upgraded glib2 from version glib2 [5] glib2-2.56.4-166.el8_10 to version CVE-2025-13601 High glib2-2.56.4-168.el8_10 [ 1 ] Upgraded golang from version 1.24.2 to version 1.25.7 to remedy CVE-2025-68121, CVE-2025-61726, CVE-2025-61730, CVE-2025-4673, CVE-2025-0913, CVE-2025-22874, CVE-2025-61728. [ 2 ] Upgraded golang.org/x/crypto from version 0.39.0 to version 0.47.0 to remedy CVE-2025-47913, CVE-2025-47914, CVE-2025-58181. [ 3 ] Upgraded container base image ubi-minimal to version 8.10-1770223153 to remedy GnuTLS CVE-2025-32988, CVE-2025-6395, CVE-2025-32990. [ 4 ] Upgraded container base image ubi-minimal to version 8.10-1770223153 to remedy libssh CVE-2025-5372, CVE-2025-5318. [ 5 ] Upgraded container base image ubi-minimal to version 8.10-1770223153 to remedy glib2 CVE-2025-13601. Solution Upgrade Splunk Operator for Kubernetes Add-on to versions 3.1.0 or higher. See Splunk Operator for Kubernetes releases Product Status Product Base Version Affected Version Fix Version Splunk Operator for Kubernetes Add-on 3.1 Below 3.1.0 3.1.0 Severity For the CVEs in this list, Splunk adopted the vendor's severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available. - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================

Risk Scores

CVSS v3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Splunk	Splunk Operator for Kubernetes Add-on 3.1

Timeline

Apr 16, 2026 CVE Published

References

http://portal.auscert.org.au/bulletins/ESB-2026.3801/ advisory
https://advisory.splunk.com//advisories/SVD-2026-0408 advisory

Open in Interactive Console →