CVE-2026-20256— Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise
Affected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Splunk | Splunk Cloud Platform | 10.3.2512< 10.3.2512.13 | affected |
10.2.2510< 10.2.2510.15 | affected | ||
10.1.2507< 10.1.2507.23 | affected | ||
9.3.2411< 9.3.2411.132 | affected | ||
| Splunk | Splunk Enterprise | 10.2< 10.2.4 | affected |
10.0< 10.0.7 | affected | ||
9.4< 9.4.12 | affected | ||
9.3< 9.3.13 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-20256
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Splunk Cloud Platform和Splunk Enterprise 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Splunk Cloud Platform和Splunk Enterprise都是美国Splunk公司的产品。Splunk Cloud Platform是一个强大的数据收集、处理和分析服务。Splunk Enterprise是一套数据收集分析软件。 Splunk Cloud Platform和Splunk Enterprise存在输入验证错误漏洞,该漏洞源于经典仪表盘中的URL分类器仅识别http://和https://协议,可能导致低权限用户通过协议相对URL在钻取链接中将受害者重定向到外部站点。以下产
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Splunk | Splunk Enterprise | 10.2 ~ 10.2.4 | - | |
| Splunk | Splunk Cloud Platform | 10.3.2512 ~ 10.3.2512.13 | - |
II. Public POCs for CVE-2026-20256
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-20256
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-20256 (1)
Same Patch Batch · Splunk · 2026-06-10 · 10 CVEs total
| CVE-2026-20253 | 9.8 CRITICAL | Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service End |
| CVE-2026-20251 | 8.8 HIGH | Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway |
| CVE-2026-20252 | 7.6 HIGH | Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterpris |
| CVE-2026-20258 | 7.1 HIGH | Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise |
| CVE-2026-20254 | 5.7 MEDIUM | Information Disclosure through External Content Restriction Bypass in Splunk Enterprise |
| CVE-2026-20257 | 5.7 MEDIUM | Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise |
| CVE-2026-20255 | 5.7 MEDIUM | Improper Input Validation through Classic Dashboards in Splunk Enterprise |
| CVE-2026-20259 | 5.5 MEDIUM | Improper Access Control in Splunk Enterprise |
| CVE-2026-20260 | 4.3 MEDIUM | Log Injection through HTTP Request Paths in Splunk SOAR |
IV. Related Vulnerabilities
Same product: Splunk Enterprise
- CVE-2026-20258
Stored Cross-Site Scripting (XSS) through Classic Dashboard - CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a - CVE-2026-20252
Server-Side Request Forgery (SSRF) through Dashboard Studio - CVE-2026-20257
Improper Input Validation through Classic Dashboard CSS in S - CVE-2026-20259
Improper Access Control in Splunk Enterprise
Same vendor: Splunk
- CVE-2026-20266
OS Command Injection in the btool Configuration Helper in Sp - CVE-2026-20265
Insecure Default Domain Allowlist in Splunk AI Toolkit - CVE-2026-20258
Stored Cross-Site Scripting (XSS) through Classic Dashboard - CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a - CVE-2026-20260
Log Injection through HTTP Request Paths in Splunk SOAR
Same weakness: CWE-20
- CVE-2026-48774
ProxySQL MCP run_sql_readonly executes side-effecting MySQL - CVE-2026-21768
HCL Verse for Android is susceptible to an injection vulnera - CVE-2026-39998
Apache APISIX: Identity Injection via forward-auth Plugin Mi - CVE-2025-58175
GeoServer has a Server-Side Request Forgery (SSRF) Vulnerabi - CVE-2026-12569
Remote Code Execution (RCE) vulnerability in Windchill PDMli
V. Comments for CVE-2026-20256
No comments yet