CVE-2025-20367: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2025-20367 is a reflected cross-site scripting (XSS) vulnerability discovered in Splunk Enterprise and Splunk Cloud Platform. The vulnerability was disclosed on October 1, 2025, affecting Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122. The vulnerability exists in the Splunk Web component, specifically in the /app/search/table endpoint (Splunk Advisory, NVD).

The vulnerability allows a low-privileged user without 'admin' or 'power' Splunk roles to craft a malicious payload through the dataset.command parameter of the /app/search/table endpoint. The issue stems from improper validation of user-supplied input in the web UI. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and required user interaction (Splunk Advisory).

A successful exploitation of this vulnerability could result in the execution of unauthorized JavaScript code in the browser of a user. This could potentially lead to unauthorized access to sensitive browser-based information and compromise of user sessions (GBHackers, Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.4.4, 9.3.6, 9.2.8, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching instances automatically. As a workaround, organizations can disable Splunk Web, though this may impact functionality. The vulnerability only affects instances with Splunk Web turned on (Splunk Advisory).