Home

Description

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.

PUBLISHED Reserved 2025-10-08 | Published 2026-03-11 | Updated 2026-03-12 | Assigner cisco




HIGH: 8.0CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Product status

10.0 (custom) before 10.0.4
affected

9.4 (custom) before 9.4.9
affected

9.3 (custom) before 9.3.10
affected

10.2.2510 (custom) before 10.2.2510.5
affected

10.0.2503 (custom) before 10.0.2503.12
affected

10.1.2507 (custom) before 10.1.2507.16
affected

9.3.2411 (custom) before 9.3.2411.124
affected

Credits

Danylo Dmytriiev (DDV_UA) <br><br>Gabriel Nitu, Splunk<br><br>James Ervin, Splunk

References

advisory.splunk.com/advisories/SVD-2026-0302

cve.org (CVE-2026-20163)

nvd.nist.gov (CVE-2026-20163)

Download JSON