CVE-2026-20162: Medium Vulnerability in Splunk Splunk Cloud Platform

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, along with Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user can craft a malicious payload at the `/manager/launcher/data/ui/views/_new` endpoint while creating a View (Settings - User Interface - Views). This vulnerability allows for Stored Cross-Site Scripting (XSS) through a path traversal flaw, potentially resulting in the execution of unauthorized JavaScript code in a user's browser.

The attacker must first phish the victim, tricking them into initiating a request within their browser. It's important to note that the authenticated user should not be able to exploit this vulnerability at will.

This vulnerability has a CVSS score of 6.3, categorized as medium severity. Risk to organizations includes potential unauthorized access to sensitive information through XSS attacks, which could compromise user sessions and lead to further exploitation.

Organizations should prioritize patching immediately to mitigate the risks associated with this vulnerability. The required updates are available in the latest versions of the affected products.

Vulnerability Details

CVE-2026-20162 is classified under CWE-79, indicating that it pertains to improper neutralization of input during web page generation ('Cross-site Scripting'). The vulnerability was disclosed on March 11, 2026, and is present in Splunk Enterprise and Splunk Cloud Platform versions specified earlier.

Technical Analysis

The root cause of this vulnerability stems from a flaw in the way Splunk handles user input in the specified endpoint, allowing for path traversal that can lead to malicious payload execution. The attack vector is network-based, requiring the user to interact with a phishing attempt, which involves low attack complexity. A low level of privileges is needed to trigger the attack, and user interaction is essential for exploitation.

The impacts of this vulnerability are significant: confidentiality is rated as high due to the potential exposure of sensitive information, integrity impact is low as unauthorized data manipulation may occur, and availability is unaffected.

Risk & Impact Analysis

Real-world deployment risks include potential unauthorized access to sensitive user data and compromised sessions, leading to further exploitation. Organizations utilizing Splunk products must recognize the critical nature of this vulnerability, as the blast radius could affect all users interacting with the compromised views.

Given the CVSS score of 6.3, organizations should address this vulnerability in their priority patch cycle to prevent exploitation and mitigate the associated risks.

Exploitation Status

Affected Versions

All versions of Splunk Enterprise prior to 10.2.0, 10.0.3, 9.4.9, and 9.3.9 as well as all versions of Splunk Cloud Platform prior to 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123 are affected by this vulnerability.

Mitigation & Remediation

Organizations should prioritize patching immediately by updating to the latest versions of Splunk Enterprise and Splunk Cloud Platform to mitigate this vulnerability. If immediate patching is not feasible, organizations should implement workarounds, such as restricting the functionality available to low-privileged users and monitoring for suspicious activities within the application.

For more information on penetration testing practices, organizations can refer to our guide on penetration testing to validate their systems and identify potential vulnerabilities.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor log files for anomalies related to the creation of views and unusual user activity. Additionally, they should look for behavioral indicators of phishing attempts that could lead to exploitation.

AppSecure Threat Intelligence Insight

CVE-2026-20162 highlights the ongoing risks associated with cross-site scripting vulnerabilities, particularly in applications with complex user interfaces. The low privilege requirement for exploitation represents a significant risk factor, demonstrating the necessity for rigorous input validation and user role management.

Organizations should remain vigilant, continuously improving their application security posture through regular assessments and security training for users. For further insights on application security practices, consider reviewing our article on application security assessments and how they can enhance overall security measures.

Additionally, for a comprehensive understanding of emerging threats, organizations should follow our insights on ransomware targeting trends to better prepare against various attack vectors.