CVE-2026-20162 is a stored cross-site scripting (XSS) vulnerability affecting multiple versions of Splunk Enterprise and Splunk Cloud Platform prior to specified patch levels (below 10.2.0, 10.0.3, 9.4.9, and 9.3.9 for Enterprise). The vulnerability arises because the software fails to properly neutralize user-controllable input before embedding it into web pages served to other users. Specifically, a low-privileged user lacking admin or power roles can exploit a path traversal vulnerability in the Views creation endpoint (/manager/launcher/data/ui/views/_new) to inject malicious JavaScript payloads. When another authenticated user views the compromised page, the injected script executes in their browser context, potentially exposing sensitive information such as session cookies or enabling actions on behalf of the victim user. Exploitation requires the attacker to phish the victim to initiate a request, as the vulnerability cannot be triggered arbitrarily by the attacker alone. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 score of 6.3 reflects a network attack vector, low attack complexity, low privileges required, required user interaction, and high confidentiality impact but limited integrity and no availability impact. No public exploits have been reported yet. The vulnerability affects a broad range of Splunk Enterprise versions widely used in enterprise security monitoring, log management, and operational intelligence. The flaw underscores the importance of input validation and output encoding in web applications, especially those handling user-generated content. Since the vulnerability involves stored XSS, it can persist and affect multiple users until remediated. Splunk has not provided patch links in the provided data, but upgrading to fixed versions is recommended. Organizations should also review role assignments to limit low-privileged users' ability to create or modify Views and enhance phishing awareness to reduce the risk of victim interaction.

The primary impact of CVE-2026-20162 is on confidentiality, as successful exploitation allows execution of arbitrary JavaScript in the browsers of authenticated users, potentially exposing session tokens, credentials, or sensitive information accessible in the user's session. This can lead to account compromise or unauthorized actions performed with the victim's privileges. The integrity impact is limited since the vulnerability does not allow direct modification of backend data or system configurations. Availability is not affected. The requirement for user interaction (phishing) and low privileges needed to craft the payload lower the overall risk but do not eliminate it, especially in environments with many users and complex role assignments. Organizations relying on Splunk Enterprise for security monitoring and incident response may face increased risk of lateral movement or data leakage if attackers exploit this vulnerability. The persistence of stored XSS means multiple users can be affected until the vulnerability is patched. Given Splunk's widespread use in critical infrastructure, finance, healthcare, and government sectors, the potential impact spans multiple industries and geographies. Attackers could leverage this vulnerability as part of a broader attack chain to gain footholds or exfiltrate data.

1. Upgrade affected Splunk Enterprise and Cloud Platform instances to the latest patched versions (at or above 10.2.0, 10.0.3, 9.4.9, and 9.3.9 for Enterprise). 2. Restrict the ability to create or modify Views to trusted, higher-privileged roles only, minimizing exposure to low-privileged users. 3. Implement strict input validation and output encoding in custom Views or dashboards to prevent injection of malicious scripts. 4. Conduct regular audits of user roles and permissions to ensure least privilege principles are enforced. 5. Enhance phishing awareness training for users to reduce the likelihood of victims triggering malicious payloads. 6. Monitor Splunk logs for unusual activity related to Views creation or modification endpoints. 7. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers accessing Splunk interfaces. 8. Use multi-factor authentication (MFA) to reduce risk of account compromise if session tokens are exposed. 9. Isolate Splunk management interfaces from general user networks where feasible to limit exposure. 10. Stay informed of vendor advisories and apply security patches promptly.