ESB-2026.5495

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.5495 SVD-2026-0510: Third-Party Package Updates in Splunk AppDynamics Cluster Agent - May 2026 21 May 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: Splunk AppDynamics Cluster Agent Publisher: Splunk Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2026-35469 CVE-2025-14831 CVE-2025-69419 CVE-2025-9086 CVE-2026-33186 CVE-2026-27140 CVE-2026-27143 CVE-2026-27144 CVE-2026-32280 CVE-2026-32281 CVE-2026-32282 CVE-2026-32283 CVE-2026-32288 CVE-2026-32289 CVE-2026-33810 CVE-2026-40200 CVE-2026-6042 CVE-2025-68160 CVE-2025-61732 CVE-2025-9820 CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119 CVE-2025-68121 CVE-2025-68973 CVE-2026-4111 CVE-2026-25679 CVE-2025-11187 CVE-2026-27139 CVE-2026-27142 CVE-2025-15467 CVE-2025-15468 CVE-2025-69418 CVE-2025-66199 CVE-2025-69420 CVE-2025-69421 CVE-2026-22795 CVE-2026-22796 Original Bulletin: https://advisory.splunk.com//advisories/SVD-2026-0510 Comment: CVSS (Max): 10.0 CVE-2025-68121 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSS Source: GitHub, MITRE, [NIST], CISA-ADP, VulDB, Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H EPSS (Max): 2.6% (85th) CVE-2025-15467 2026-05-20 - --------------------------BEGIN INCLUDED TEXT-------------------- Third-Party Package Updates in Splunk AppDynamics Cluster Agent - May 2026 Advisory ID: SVD-2026-0510 CVE ID: Multiple Published: 2026-05-20 Last Update: 2026-05-20 Description Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Cluster Agent version 26.4.0, and higher, including the following: Package Remediation CVE Severity golang [1 Upgraded to version 1.26.2 Multiple Critical ] grpc-go Upgraded from version 1.72.2 to version CVE-2026-33186 Critical 1.79.3 openssl [2 Upgraded to version 3.5.1-7 Multiple Critical ] spdystream Upgraded from version 0.5.0 to version 0.5.1 CVE-2026-35469 High musl [3 ] Upgraded to version 1.2.5-r23 Multiple High curl Upgraded from version 7.76.1-34 to version CVE-2025-9086 High 7.76.1-35 libarchive Upgraded from version 3.5.3-6 to version CVE-2026-4111 High 3.5.3-7 gnupg Upgraded from version 2.3.3-4 to version CVE-2025-68973 High 2.3.3-5 gnutls [4 Upgraded to version 3.8.3-10 Multiple Medium ] [ 1 ] Upgraded golang from version 1.25.5 to version 1.26.2 to remedy CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-61731, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27140, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, and CVE-2026-33810. [ 2 ] Upgraded openssl from version 3.5.1-4 to version 3.5.1-7 to remedy CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. [ 3 ] Upgraded musl from version 1.2.5-r10 to version 1.2.5-r23 to remedy CVE-2026-40200 and CVE-2026-6042. [ 4 ] Upgraded gnutls from version 3.8.3-9 to version 3.8.3-10 to remedy CVE-2025-14831, and CVE-2025-9820. Solution Upgrade Splunk AppDynamics Cluster Agent to version 26.4.0 or higher. Product Status Product Base Version Affected Version Fix Version Splunk AppDynamics Cluster Agent 26.4 Below 26.4.0 26.4.0 Severity For the CVEs in this list, Splunk adopted the vendor's severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available. - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================