CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

NCSC-2026-0198 [1.01] [M/H] Vulnerabilities fixed in Splunk Enterprise and Splunk Cloud Platform

unknownknown exploitedpublic exploitCVE-2026-20253CVE-2026-20251
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Splunk has fixed multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. The vulnerabilities affect various components of Splunk Enterprise and Splunk Cloud Platform. Splunk has assessed the vulnerability with CVE-2026-20253 in the PostgreSQL sidecar service endpoint as critical, allowing unauthenticated users to create or delete arbitrary files due to the lack of authentication controls. Another vulnerability with CVE-2026-20251 concerns Remote Code Execution (RCE) via unsafe deserialization of KV Store data with the 'jsonpickle' Python library, allowing low-privileged users without admin or power roles to execute code remotely. Furthermore, multiple vulnerabilities have been identified that allow sensitive data to be exfiltrated via SSRF, CSS injection, and XSS attacks. Due to insufficient validation of URLs, domains, and user input, attackers can bypass security controls, access internal systems, and exfiltrate data. Update: The Splunk Product Security Incident Response Team (PSIRT) reports that limited and targeted exploitation of the vulnerability with CVE-2026-20253 has been observed. The vulnerability allows a malicious actor to create or delete files, disrupting the operation of the system. As far as known, code execution is not possible.

CSIRTS triage

What
Multiple vulnerabilities allow unauthenticated access and remote code execution.
Who is affected
Users of Splunk Enterprise and Splunk Cloud Platform.
Urgency
Remediation is urgent due to the critical nature of the vulnerabilities and active exploitation.
Action
Apply the latest security updates from Splunk.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Splunk Enterprise and Splunk Cloud Platform

Get an email when a new Splunk Enterprise and Splunk Cloud Platform advisory drops — max one per day, one-click unsubscribe.

Details

Source
NCSC-NL Advisories (NL · national-cert · site)
Severity
unknown
Published
2026-06-19
Exploitation
Observed in the wild (CISA KEV)
Language
Machine-translated to English — verify against the original

Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0198

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-20253coverage & exploitation statusNVD · CVE.org
CVE-2026-20251coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for Splunk Enterprise and

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NCSC-NL Advisories