CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-20251

unknownknown exploitedcovered by 1 sourcefirst seen 2026-06-19
Actively exploited. CVE-2026-20251 is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild, and US federal agencies are required to remediate it under BOD 22-01. Treat patching as urgent.
Splunk has fixed multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. The vulnerabilities affect various components of Splunk Enterprise and Splunk Cloud Platform. Splunk has assessed the vulnerability with CVE-2026-20253 in the PostgreSQL sidecar service endpoint as critical, allowing unauthenticated users to create or delete arbitrary files due to the lack of authentication controls. Another vulnerability with CVE-2026-20251 concerns Remote Code Execution (RCE) via unsafe deserialization of KV Store data with the 'jsonpickle' Python library, allowing low-privileged users without admin or power roles to execute code remotely. Furthermore, multiple vulnerabilities have been identified that allow sensitive data to be exfiltrated via SSRF, CSS injection, and XSS attacks. Due to insufficient validation of URLs, domains, and user input, attackers can bypass security controls, access internal systems, and exfiltrate data. Update: The Splunk Product Security Incident Response Team (PSIRT) reports that limited and targeted exploitation of the vulnerability with CVE-2026-20253 has been observed. The vulnerability allows a malicious actor to create or delete files, disrupting the operation of the system. As far as known, code execution is not possible.

CSIRTS triage

What
Multiple vulnerabilities allow unauthenticated access and remote code execution.
Who is affected
Users of Splunk Enterprise and Splunk Cloud Platform.
Urgency
Remediation is urgent due to the critical nature of the vulnerabilities and active exploitation.
Action
Apply the latest security updates from Splunk.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-20251

Get an email if CVE-2026-20251 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-20251

CVE.org record

CISA KEV catalog

Embed the live status

CVE-2026-20251 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-20251 status](https://www.csirts.com/badge/CVE-2026-20251)](https://www.csirts.com/cve/CVE-2026-20251)