Home
HIGH: 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
affected
10.0 (custom) before 10.0.5
affected
9.4 (custom) before 9.4.10
affected
9.3 (custom) before 9.3.11
affected
affected
10.3.2512 (custom) before 10.3.2512.5
affected
10.2.2510 (custom) before 10.2.2510.9
affected
10.1.2507 (custom) before 10.1.2507.19
affected
10.0.2503 (custom) before 10.0.2503.13
affected
9.3.2411 (custom) before 9.3.2411.127
affected
Description
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
Problem types
Product status
10.0 (custom) before 10.0.5
9.4 (custom) before 9.4.10
9.3 (custom) before 9.3.11
10.3.2512 (custom) before 10.3.2512.5
10.2.2510 (custom) before 10.2.2510.9
10.1.2507 (custom) before 10.1.2507.19
10.0.2503 (custom) before 10.0.2503.13
9.3.2411 (custom) before 9.3.2411.127
Credits
Gabriel Nitu, Splunk
References
advisory.splunk.com/advisories/SVD-2026-0403