cvedb.io
CVE-2026-20255
MEDIUM · CVSS 5.7
EPSS exploitation probability: 0%
Published 2026-06-10T18:16:41.010 · Last modified 2026-06-17T10:17:20.450

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard.

Affected products

splunk — splunk

Does this affect you?

Add your gear to cvedb and we'll alert you only when splunk ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.