CVE-2026-20162 is a stored cross-site scripting (XSS) vulnerability affecting multiple versions of Splunk Enterprise and Splunk Cloud Platform prior to versions 10.2.0, 10.0.3, 9.4.9, and 9.3.9. The vulnerability arises because the software fails to properly neutralize user-controllable input before embedding it in web pages served to other users. Specifically, a low-privileged user lacking admin or power roles can exploit a path traversal vulnerability at the `/manager/launcher/data/ui/views/_new` endpoint when creating a View in the Splunk UI. This allows the attacker to inject malicious JavaScript code that is stored and later executed in the browsers of other users who view the compromised content. Exploitation requires the attacker to phish an authenticated user, tricking them into initiating a crafted request in their browser, as the vulnerability cannot be exploited at will by the attacker alone. The vulnerability primarily impacts confidentiality by enabling unauthorized script execution, which could lead to session hijacking, credential theft, or other client-side attacks. The CVSS v3.1 base score is 6.3, reflecting medium severity with network attack vector, low complexity, low privileges required, and user interaction needed. No known exploits have been reported in the wild to date. The flaw affects widely used versions of Splunk Enterprise and Cloud Platform, making it relevant for organizations relying on these platforms for security information and event management (SIEM) and operational intelligence. The vulnerability underscores the importance of proper input validation and output encoding in web applications, especially those handling user-generated content and administrative interfaces.

The primary impact of CVE-2026-20162 is on the confidentiality of user data and session integrity within affected Splunk environments. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim user. Although the vulnerability does not directly affect system integrity or availability, the resulting client-side compromise can facilitate further attacks, including privilege escalation or lateral movement within the network. Organizations using Splunk Enterprise or Cloud Platform versions prior to the patched releases are at risk, particularly if they allow low-privileged users to create or modify Views and if users with higher privileges access these Views. The requirement for phishing and user interaction reduces the likelihood of widespread automated exploitation but does not eliminate the risk, especially in environments with targeted attackers or insider threats. Given Splunk's role in security monitoring and operational intelligence, compromise of its user interface could undermine trust in security alerts and data integrity, impacting incident response and overall organizational security posture.

1. Apply official patches and updates from Splunk immediately to upgrade to versions 10.2.0 or later (or corresponding patched Cloud Platform versions). 2. Restrict the ability to create or modify Views to trusted users with appropriate roles, minimizing the number of users with such permissions. 3. Implement strict input validation and output encoding controls on all user-controllable inputs within Splunk UI customizations to prevent injection of malicious scripts. 4. Educate users about phishing risks and implement multi-factor authentication (MFA) to reduce the likelihood of successful phishing attacks. 5. Monitor Splunk logs for unusual activity related to Views creation or modification, and for suspicious user behavior that could indicate exploitation attempts. 6. Consider deploying web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Splunk interfaces. 7. Regularly review and audit user roles and permissions within Splunk to ensure least privilege principles are enforced. 8. Use Content Security Policy (CSP) headers where possible to limit the impact of any injected scripts.