Splunk threat watch

Recent watch items and advisories tracked for Splunk inside the ITECS Threat Radar.

Watch items

Recent Splunk watch items

Showing the 8 most recent items, newest first. Each row links to the official advisory.

8 rows · sorted newest first

Operations view

splunk vulnerability (CVE-2026-20253)

CRITICAL
activeNVDCVE-2026-20253

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

Jun 10, 2026, 1:16 PMOfficial source

splunk vulnerability (CVE-2026-20252)

HIGH
watchNVDCVE-2026-20252

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.

Jun 10, 2026, 1:16 PMOfficial source

splunk vulnerability (CVE-2026-20251)

HIGH
watchNVDCVE-2026-20251

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.

Jun 10, 2026, 1:16 PMOfficial source

splunk vulnerability (CVE-2026-20204)

HIGH
watchNVDCVE-2026-20204

In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.

Apr 15, 2026, 11:16 AMOfficial source

splunk vulnerability (CVE-2017-17067)

CRITICAL
watchNVDCVE-2017-17067

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and 6.3.x before 6.3.12, when the SAML authType is enabled, mishandles SAML, which allows remote attackers to bypass intended access restrictions or conduct impersonation attacks.

Nov 29, 2017, 8:29 PMOfficial source

hadoop connect vulnerability (CVE-2017-7565)

HIGH
watchNVDCVE-2017-7565

Splunk Hadoop Connect App has a path traversal vulnerability that allows remote authenticated users to execute arbitrary code, aka ERP-2041.

Apr 6, 2017, 10:59 AMOfficial source

splunk vulnerability (CVE-2016-10126)

CRITICAL
watchNVDCVE-2016-10126

Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x before 6.0.13, 6.1.x before 6.1.12, 6.2.x before 6.2.12, 6.3.x before 6.3.8, and 6.4.x before 6.4.4 allows remote attackers to conduct HTTP request injection attacks and obtain sensitive REST API authentication-token information via unspecified vectors, aka SPL-128840.

Jan 10, 2017, 5:59 AMOfficial source

splunk vulnerability (CVE-2010-3322)

HIGH
watchNVDCVE-2010-3322

The XML parser in Splunk 4.0.0 through 4.1.4 allows remote authenticated users to obtain sensitive information and gain privileges via an XML External Entity (XXE) attack to unknown vectors.

Sep 14, 2010, 12:00 PMOfficial source

Vendor watch hub

What this page covers

The Splunkwatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.

  • Confirm whether recent Splunk activity overlaps with your environment.
  • Prioritize advisories by MSP-relevance score, severity, and status.
  • Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.

At a glance

Tracked

8

Active

1

Featured

3

Unique CVEs

8

Most recent entry

Jun 10, 2026, 1:16 PM

Feed refreshes daily · 5:15 a.m. Central

Sources·Aggregated vendor advisories and CVE feeds

"Most recent entry" is the newest item the upstream feed has published — not our sync time.

Vendor watch FAQ

Common questions

What is the Splunk threat watch page?

It is the Splunk-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.

How should teams use the Splunk watch page?

Use it to confirm whether current Splunk issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.

Can ITECS help respond to Splunk security issues?

Yes. ITECS can help map Splunk advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.